add_more_win_tag

[tccontre]

Tagged

add_or_set_windows_defender_exclusion.yml
attacker_tools_on_endpoint.yml
attempted_credential_dump_from_registry_via_reg_exe.yml
batch_file_write_to_system32.yml
bcdedit_failure_recovery_modification.yml
certutil_download_with_urlcache_and_split_arguments.yml
certutil_download_with_verifyctl_and_split_arguments.yml
certutil_exe_certificate_extraction.yml
clear_unallocated_sector_using_cipher_app.yml
clop_common_exec_parameter.yml
clop_ransomware_known_service_name.yml
cmd_echo_pipe___escalation.yml
connectwise_screenconnect_path_traversal_windows_sacl.yml
conti_common_exec_parameter.yml
control_loading_from_world_writable_directory.yml
creation_of_shadow_copy.yml
creation_of_shadow_copy_with_wmic_and_powershell.yml
credential_dumping_via_copy_command_from_shadow_copy.yml
credential_dumping_via_symlink_to_shadow_copy.yml
curl_download_and_bash_execution.yml
deleting_shadow_copies.yml
detect_azurehound_command_line_arguments.yml
detect_certify_command_line_arguments.yml
detect_exchange_web_shell.yml
detect_html_help_spawn_child_process.yml
detect_html_help_url_in_command_line.yml
detect_html_help_using_infotech_storage_handlers.yml
detect_mshta_inline_hta_execution.yml
detect_mshta_url_in_command_line.yml
detect_regasm_spawning_a_process.yml
detect_regsvcs_spawning_a_process.yml
detect_regsvr32_application_control_bypass.yml
detect_rundll32_application_control_bypass___advpack.yml
detect_rundll32_application_control_bypass___setupapi.yml
detect_rundll32_application_control_bypass___syssetup.yml
detect_webshell_exploit_behavior.yml
dns_exfiltration_using_nslookup_app.yml
dsquery_domain_discovery.yml
dump_lsass_via_comsvcs_dll.yml
dump_lsass_via_procdump.yml
enumerate_users_local_group_using_telegram.yml
excel_spawning_powershell.yml
excel_spawning_windows_script_host.yml
executable_file_written_in_administrative_smb_share.yml
fodhelper_uac_bypass.yml
gpupdate_with_no_command_line_arguments_with_network.yml
hiding_files_and_directories_with_attrib_exe.yml
icacls_deny_command.yml
impacket_lateral_movement_commandline_parameters.yml
impacket_lateral_movement_smbexec_commandline_parameters.yml
impacket_lateral_movement_wmiexec_commandline_parameters.yml
kerberoasting_spn_request_with_rc4_encryption.yml
known_services_killed_by_ransomware.yml
malicious_powershell_executed_as_a_service.yml
office_application_drop_executable.yml
office_application_spawn_regsvr32_process.yml
office_application_spawn_rundll32_process.yml
office_product_spawning_bitsadmin.yml
office_product_spawning_certutil.yml
office_product_spawning_mshta.yml
office_product_spawning_rundll32_with_no_dll.yml
office_product_spawning_windows_script_host.yml
office_product_spawning_wmic.yml
office_product_writing_cab_or_inf.yml
office_spawning_control.yml
remote_process_instantiation_via_dcom_and_powershell.yml
remote_process_instantiation_via_wmi_and_powershell.yml
resize_shadowstorage_volume.yml
rundll32_control_rundll_world_writable_directory.yml
rundll32_shimcache_flush.yml
rundll32_with_no_command_line_arguments_with_network.yml
ryuk_wake_on_lan_command.yml
schedule_task_with_http_command_arguments.yml
schedule_task_with_rundll32_command_trigger.yml
schtasks_scheduling_job_on_remote_system.yml
searchprotocolhost_with_no_command_line_with_network.yml
secretdumps_offline_ntds_dumping_tool.yml
serviceprincipalnames_discovery_with_setspn.yml
services_escalate_exe.yml
shim_database_installation_with_suspicious_parameters.yml
short_lived_scheduled_task.yml
single_letter_process_on_endpoint.yml
slui_runas_elevated.yml
slui_spawning_a_process.yml
spoolsv_spawning_rundll32.yml
spoolsv_writing_a_dll.yml
suspicious_computer_account_name_change.yml
suspicious_copy_on_system32.yml
wget_download_and_bash_execution.yml
windows_ad_cross_domain_sid_history_addition.yml
windows_ad_domain_controller_promotion.yml
windows_ad_domain_replication_acl_addition.yml
windows_ad_privileged_account_sid_history_addition.yml
windows_ad_replication_request_initiated_by_user_account.yml
windows_ad_replication_request_initiated_from_unsanctioned_location.yml
windows_ad_same_domain_sid_history_addition.yml
windows_ad_short_lived_domain_controller_spn_attribute.yml
windows_ad_short_lived_server_object.yml
windows_alternate_datastream___process_execution.yml
windows_change_default_file_association_for_no_file_ext.yml
windows_com_hijacking_inprocserver32_modification.yml
windows_command_and_scripting_interpreter_path_traversal_exec.yml
windows_command_shell_dcrat_forkbomb_payload.yml
windows_computer_account_with_spn.yml
windows_conhost_with_headless_argument.yml
windows_credential_dumping_lsass_memory_createdump.yml
windows_credentials_from_password_stores_creation.yml
windows_credentials_from_password_stores_deletion.yml
windows_curl_download_to_suspicious_path.yml
windows_curl_upload_to_remote_destination.yml
windows_disable_windows_event_logging_disable_http_logging.yml
windows_dism_remove_defender.yml
windows_dll_search_order_hijacking_with_iscsicpl.yml
windows_domain_admin_impersonation_indicator.yml
windows_event_log_cleared.yml
windows_excessive_disabled_services_event.yml
windows_execute_arbitrary_commands_with_msdt.yml
windows_hidden_schedule_task_settings.yml
windows_installutil_remote_network_connection.yml
windows_installutil_uninstall_option.yml
windows_installutil_uninstall_option_with_network.yml
windows_installutil_url_in_command_line.yml
windows_kerberos_local_successful_logon.yml
windows_krbrelayup_service_creation.yml
windows_masquerading_explorer_as_child_process.yml
windows_masquerading_msdtc_process.yml
windows_mimikatz_binary_execution.yml
windows_modify_system_firewall_with_notable_process_path.yml
windows_mof_event_triggered_execution_via_wmi.yml
windows_msiexec_spawn_windbg.yml
windows_office_product_spawning_msdt.yml
windows_papercut_ng_spawn_shell.yml
windows_parent_pid_spoofing_with_explorer.yml
windows_privilege_escalation_user_process_spawn_system_process.yml
windows_raccine_scheduled_task_deletion.yml
windows_rasautou_dll_execution.yml
windows_regsvr32_renamed_binary.yml
windows_remote_assistance_spawning_process.yml
windows_remote_service_rdpwinst_tool_execution.yml
windows_scheduled_task_with_highest_privileges.yml
windows_security_account_manager_stopped.yml
windows_service_create_sliverc2.yml
windows_service_create_with_tscon.yml
windows_snake_malware_service_create.yml
windows_soaphound_binary_execution.yml
windows_spearphishing_attachment_onenote_spawn_mshta.yml
windows_special_privileged_logon_on_multiple_hosts.yml
windows_steal_authentication_certificates___esc1_authentication.yml
windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
windows_uac_bypass_suspicious_escalation_behavior.yml
windows_valid_account_with_never_expires_password.yml
windows_windbg_spawning_autoit3.yml
winevent_scheduled_task_created_to_spawn_shell.yml
winevent_scheduled_task_created_within_public_path.yml
winhlp32_spawning_a_process.yml
winrar_spawning_shell_application.yml
winword_spawning_cmd.yml
winword_spawning_powershell.yml
winword_spawning_windows_script_host.yml
wmic_xsl_execution_via_url.yml

analytic story

Compromised Windows Host

What does this PR have in it? Screenshots are worth 1000 words 😄

Checklist

• Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• CI/CD jobs passed ✔️
• Validated SPL logic.
• Validated tags, description, and how to implement.
• Verified references match analytic.
• Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

• If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
• Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
• Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the datestamp in the lookup CSV filename, and the reference to it in the YAML needs to be updated.