diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index e149f4aa8d..aaf1b8c515 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage File id: 3bf5541a-6a45-4fdc-b01d-59b899fff961 -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-07-09' author: Steven Dick status: production type: Anomaly @@ -20,7 +20,8 @@ search: '| tstats `security_content_summariesonly` count, min(_time) as firstTim by Filesystem.dest, Filesystem.user, Filesystem.file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description - as signature, comment_reference as desc, category | search isutility = TRUE | `detect_remote_access_software_usage_file_filter`' + as signature, comment_reference as desc, category | search isutility = TRUE + | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_file_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -28,9 +29,14 @@ how_to_implement: The detection is based on data that originates from Endpoint D the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) - to normalize the field names and speed up the data modeling process. + to normalize the field names and speed up the data modeling process. The "exceptions" + macro leverages both an Assets and Identities lookup, as well as a KVStore collection + called "remote_software_exceptions" that lets you track and maintain device-based + exceptions for this set of detections. known_false_positives: Known or approved applications used by the organization or - usage of built-in functions. + usage of built-in functions. Known false positives can be added to the + remote_access_software_usage_exception.csv lookup to globally suppress these + situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -72,6 +78,7 @@ tags: - Filesystem.file_name risk_score: 25 security_domain: endpoint + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml index a1a24241d4..61e05f0745 100644 --- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml +++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage FileInfo id: ccad96d7-a48c-4f13-8b9c-9f6a31cba454 -version: 2 -date: '2024-05-29' +version: 3 +date: '2024-07-09' author: Steven Dick status: production type: Anomaly @@ -20,12 +20,15 @@ search: '`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) a lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, process_name, process | lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category - | search isutility = True | `detect_remote_access_software_usage_fileinfo_filter`' + | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_fileinfo_filter`' how_to_implement: This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being - ingested into Splunk. + ingested into Splunk. The "exceptions" macro leverages both an Assets and Identities + lookup, as well as a KVStore collection named "remote_software_exceptions" + that lets you track and maintain device-based exceptions for this set of detections. known_false_positives: Known or approved applications used by the organization or - usage of built-in functions. + usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv + lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -67,7 +70,8 @@ tags: - process_name - process risk_score: 25 - security_domain: endpoint + security_domain: endpoint + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index 717e5ca4de..0ce8bcbe32 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Process id: ffd5e001-2e34-48f4-97a2-26dc4bb08178 -version: 2 -date: '2024-05-23' +version: 3 +date: '2024-07-09' author: Steven Dick status: production type: Anomaly @@ -23,7 +23,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference - as desc, category | search isutility = True | `detect_remote_access_software_usage_process_filter`' + as desc, category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -32,10 +32,15 @@ how_to_implement: The detection is based on data that originates from Endpoint D be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. + names and speed up the data modeling process. The "exceptions" macro leverages + both an Assets and Identities lookup, as well as a KVStore collection called + "remote_software_exceptions" that lets you track and maintain device- + based exceptions for this set of detections. known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any - additional remote access software that is used within the environment. + additional remote access software that is used within the environment. + Known false positives can be added to the remote_access_software_usage_exception.csv + lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -80,6 +85,7 @@ tags: - Processes.parent_process_name risk_score: 25 security_domain: endpoint + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml index a86b46edf3..a48285b7ee 100644 --- a/detections/network/detect_remote_access_software_usage_dns.yml +++ b/detections/network/detect_remote_access_software_usage_dns.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage DNS id: a16b797d-e309-41bd-8ba0-5067dae2e4be version: 3 -date: '2024-05-27' +date: '2024-07-09' author: Steven Dick status: production type: Anomaly @@ -13,9 +13,20 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, - category | eval dest = query | search isutility = True | `detect_remote_access_software_usage_dns_filter`' -how_to_implement: To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. Once the analytic is tuned for your environment, modify the risk scores to be more appropriate. -known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and legitimate remote access software is removed from it to not cause false positives. + category | eval dest = query | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_dns_filter`' +how_to_implement: To implement this search, you must ingest logs that contain the + DNS query and the source of the query. These logs must be processed using the appropriate + Splunk Technology Add-ons that are specific to the DNS logs. The logs must also + be mapped to the `Network_Resolution` data model. Use the Splunk Common Information + Model (CIM) to normalize the field names and speed up the data modeling process. The + "exceptions" macro leverages both an Assets and Identities lookup, + as well as a KVStore collection called "remote_software_exceptions" that lets + you track and maintain device-based exceptions for this set of detections. +known_false_positives: It is possible that legitimate remote access software is used + within the environment. Ensure that the lookup is reviewed and updated with any + additional remote access software that is used within the environment. + Known false positives can be added to the remote_access_software_usage_exception.csv + lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -51,6 +62,7 @@ tags: - DNS.answer risk_score: 4 security_domain: endpoint + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml index b7b9c3d063..a5dcf1b690 100644 --- a/detections/network/detect_remote_access_software_usage_traffic.yml +++ b/detections/network/detect_remote_access_software_usage_traffic.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Traffic id: 885ea672-07ee-475a-879e-60d28aa5dd42 -version: 2 -date: '2024-05-29' +version: 3 +date: '2024-07-09' author: Steven Dick status: production type: Anomaly @@ -20,14 +20,19 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_appid AS app OUTPUT isutility, description - as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_traffic_filter`' + as signature, comment_reference as desc, category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_traffic_filter`' how_to_implement: The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. + names and speed up the data modeling process. The "exceptions" macro leverages + both an Assets and Identities lookup, as well as a KVStore collection called + "remote_software_exceptions" that lets you track and maintain device- + based exceptions for this set of detections. known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. + Known false positives can be added to the remote_access_software_usage_exception.csv + lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -63,6 +68,7 @@ tags: - user risk_score: 25 security_domain: network + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index 42460961f3..9e20cc85a2 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage URL id: 9296f515-073c-43a5-88ec-eda5a4626654 -version: 2 -date: '2024-05-09' +version: 3 +date: '2024-07-09' author: Steven Dick status: production type: Anomaly @@ -20,15 +20,20 @@ search: '| tstats count min(_time) as firstTime max(_time) as lastTime latest(We Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("Web")` | lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference as desc, - category | search isutility = True | `detect_remote_access_software_usage_url_filter`' + category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_url_filter`' how_to_implement: The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names - and speed up the data modeling process. + and speed up the data modeling process. The "exceptions" macro leverages + both an Assets and Identities lookup, as well as a KVStore collection called + "remote_software_exceptions" that lets you track and maintain device- + based exceptions for this set of detections. known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any - additional remote access software that is used within the environment. + additional remote access software that is used within the environment. + Known false positives can be added to the remote_access_software_usage_exception.csv + lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -70,6 +75,7 @@ tags: - Web.url_domain risk_score: 25 security_domain: network + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: diff --git a/lookups/remote_access_software.yml b/lookups/remote_access_software.yml index a9f72acf2a..e0b7174e23 100644 --- a/lookups/remote_access_software.yml +++ b/lookups/remote_access_software.yml @@ -1,8 +1,8 @@ description: A list of Remote Access Software -filename: remote_access_software.csv +filename: remote_access_software20240726.csv name: remote_access_software default_match: 'false' match_type: WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo) min_matches: 1 max_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: 'false' diff --git a/lookups/remote_access_software.csv b/lookups/remote_access_software20240726.csv similarity index 98% rename from lookups/remote_access_software.csv rename to lookups/remote_access_software20240726.csv index 2593eebb17..55cfadc270 100644 --- a/lookups/remote_access_software.csv +++ b/lookups/remote_access_software20240726.csv @@ -1,5 +1,10 @@ description,remote_domain,remote_utility,remote_utility_fileinfo,remote_appid,isutility,category,comment_reference,last_update 247ithelp.com (ConnectWise),*.247ithelp.com,Remote Workforce Client.exe,,,TRUE,RMM,Simlar / replaced by ScreenConnect,2/8/2024 +Absolute (Computrace),*search.namequery.com,rpcnet.exe,Absolute Software*,absolute-manage,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024 +Absolute (Computrace),*server.absolute.com,ctes.exe,Absolute Persistence*,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024 +Absolute (Computrace),,ctespersitence.exe,CTES*,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024 +Absolute (Computrace),,cteshostsvc.exe,,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024 +Absolute (Computrace),,rpcld.exe,,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024 Access Remote PC,,rpcgrab.exe,,,TRUE,RMM,,2/7/2024 Access Remote PC,,rpcsetup.exe,,,TRUE,RMM,,2/7/2024 Acronic Cyber Protect (Remotix),cloud.acronis.com,AcronisCyberProtectConnectQuickAssist*.exe,Acronis Cyber Protect Connect Quick Assist,remotix,TRUE,RMM,https://kb.acronis.com/content/47189,2/26/2024 @@ -566,4 +571,4 @@ Zoho Assist,*.zohoassist.jp,ZMAgent.exe,,,TRUE,RMM,https://www.zoho.com/assist/k Zoho Assist,*.zohoassist.com.cn,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 Zoho Assist,downloads.zohodl.com.cn,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 Zoho Assist,downloads.zohocdn.com,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 -Zoho Assist,gateway.zohoassist.com,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 \ No newline at end of file +Zoho Assist,gateway.zohoassist.com,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 diff --git a/lookups/remote_access_software_exceptions.yml b/lookups/remote_access_software_exceptions.yml new file mode 100644 index 0000000000..c59a12a474 --- /dev/null +++ b/lookups/remote_access_software_exceptions.yml @@ -0,0 +1,4 @@ +description: A list used to provide global exceptions to remote access monitoring content. +collection: remote_access_software_exceptions +name: remote_access_software_exceptions +fields_list: _key, asset, software, exception_date, exception_ttl_days, exception, comment diff --git a/macros/remote_access_software_usage_exceptions.yml b/macros/remote_access_software_usage_exceptions.yml new file mode 100644 index 0000000000..445565f594 --- /dev/null +++ b/macros/remote_access_software_usage_exceptions.yml @@ -0,0 +1,9 @@ +definition: 'eval exception_asset = CASE(isnotnull(src),src,isnotnull(dest),dest) + | lookup update=true asset_lookup_by_str asset as exception_asset OUTPUTNEW asset as asset_temp_field + | eval asset_temp_field = CASE(isnull(asset_temp_field),exception_asset,true(),asset_temp_field ) + | lookup remote_access_software_exceptions asset as asset_temp_field software as signature OUTPUT exception as rmm_exception, exception_date as rmm_exception_date, exception_ttl_days as rmm_exception_ttl_days, comment as rmm_exception_comment + | eval rmm_exception = mvdedup(mvfilter(NOT match(rmm_exception,"false"))), rmm_exception_date = mvdedup(mvfilter(NOT match(rmm_exception_date,"false"))), rmm_exception_ttl_days = mvdedup(mvfilter(NOT match(rmm_exception_ttl_days,"false"))), rmm_exception_comment = mvdedup(mvfilter(NOT match(rmm_exception_comment,"false"))), rmm_exception_end_date = relative_time(strptime(rmm_exception_date, "%Y-%m-%d"), "+"+rmm_exception_ttl_days+"d"), rmm_exception_end = CASE((now() >= rmm_exception_end_date),"TRUE",(now() < rmm_exception_end_date),"FALSE",(match(rmm_exception,"(?i)true") AND isnull(rmm_exception_ttl_days)),"UNLIMITED") + | search NOT (rmm_exception = TRUE AND rmm_exception_end IN ("FALSE","UNLIMITED")) + | fields - asset_temp_field,exception_asset' +description: Macro used with remote access monitoring content to define exception lookup and usage. Returns filtered results based on contents of remote_access_software_usage_exception.csv +name: remote_access_software_usage_exceptions \ No newline at end of file