From b43bb4fb4e9ee9ddf151dcb8d6768895a806209c Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Tue, 24 Sep 2024 16:37:44 -0700 Subject: [PATCH 1/5] Fix dates, fields with spaces, and update verisons for many detections --- .../okta_multiple_failed_mfa_requests_for_user.yml | 6 +++--- detections/application/windows_ad_object_owner_updated.yml | 6 +++--- .../asl_aws_concurrent_sessions_from_different_ips.yml | 6 +++--- .../cloud/asl_aws_new_mfa_method_registered_for_user.yml | 6 +++--- .../cloud/aws_concurrent_sessions_from_different_ips.yml | 6 +++--- detections/cloud/aws_new_mfa_method_registered_for_user.yml | 6 +++--- ..._successful_console_authentication_from_multiple_ips.yml | 6 +++--- detections/cloud/aws_updateloginprofile.yml | 6 +++--- .../cloud/azure_active_directory_high_risk_sign_in.yml | 6 +++--- .../azure_ad_application_administrator_role_assigned.yml | 6 +++--- .../azure_ad_authentication_failed_during_mfa_challenge.yml | 6 +++--- .../azure_ad_concurrent_sessions_from_different_ips.yml | 6 +++--- ...re_ad_high_number_of_failed_authentications_for_user.yml | 6 +++--- ...ure_ad_high_number_of_failed_authentications_from_ip.yml | 6 +++--- .../azure_ad_multi_source_failed_authentications_spike.yml | 6 +++--- ..._multiple_appids_and_useragents_authentication_spike.yml | 6 +++--- .../azure_ad_multiple_failed_mfa_requests_for_user.yml | 6 +++--- .../azure_ad_multiple_service_principals_created_by_sp.yml | 6 +++--- ...azure_ad_multiple_service_principals_created_by_user.yml | 6 +++--- ...re_ad_multiple_users_failing_to_authenticate_from_ip.yml | 6 +++--- detections/cloud/azure_ad_new_custom_domain_added.yml | 6 +++--- detections/cloud/azure_ad_new_federated_domain_added.yml | 6 +++--- .../cloud/azure_ad_new_mfa_method_registered_for_user.yml | 6 +++--- detections/cloud/azure_ad_pim_role_assigned.yml | 6 +++--- detections/cloud/azure_ad_pim_role_assignment_activated.yml | 6 +++--- ...rivileged_authentication_administrator_role_assigned.yml | 6 +++--- detections/cloud/azure_ad_privileged_role_assigned.yml | 6 +++--- ...ure_ad_privileged_role_assigned_to_service_principal.yml | 6 +++--- .../cloud/azure_ad_service_principal_authentication.yml | 6 +++--- .../azure_ad_service_principal_new_client_credentials.yml | 6 +++--- detections/cloud/azure_ad_service_principal_owner_added.yml | 6 +++--- ...zure_ad_successful_authentication_from_different_ips.yml | 6 +++--- .../cloud/azure_ad_successful_powershell_authentication.yml | 6 +++--- .../azure_ad_successful_single_factor_authentication.yml | 6 +++--- ..._ad_unusual_number_of_failed_authentications_from_ip.yml | 6 +++--- .../azure_ad_user_consent_denied_for_oauth_application.yml | 6 +++--- .../cloud/azure_ad_user_enabled_and_password_reset.yml | 6 +++--- .../cloud/azure_ad_user_immutableid_attribute_updated.yml | 6 +++--- detections/cloud/azure_automation_account_created.yml | 6 +++--- detections/cloud/azure_automation_runbook_created.yml | 6 +++--- detections/cloud/azure_runbook_webhook_created.yml | 6 +++--- .../gcp_authentication_failed_during_mfa_challenge.yml | 6 +++--- .../cloud/o365_compliance_content_search_exported.yml | 6 +++--- detections/cloud/o365_compliance_content_search_started.yml | 6 +++--- .../cloud/o365_concurrent_sessions_from_different_ips.yml | 6 +++--- .../cloud/o365_elevated_mailbox_permission_assigned.yml | 6 +++--- .../o365_high_number_of_failed_authentications_for_user.yml | 6 +++--- .../cloud/o365_mailbox_folder_read_permission_granted.yml | 6 +++--- .../o365_multi_source_failed_authentications_spike.yml | 6 +++--- ..._multiple_appids_and_useragents_authentication_spike.yml | 6 +++--- .../cloud/o365_multiple_failed_mfa_requests_for_user.yml | 6 +++--- .../cloud/o365_multiple_mailboxes_accessed_via_api.yml | 2 +- .../o365_multiple_users_failing_to_authenticate_from_ip.yml | 6 +++--- detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml | 6 +++--- .../cloud/o365_oauth_app_mailbox_access_via_graph_api.yml | 6 +++--- .../cloud/o365_security_and_compliance_alert_triggered.yml | 6 +++--- .../cloud/o365_service_principal_new_client_credentials.yml | 6 +++--- .../o365_user_consent_denied_for_oauth_application.yml | 6 +++--- ...erberos_pre_authentication_discovery_with_get_aduser.yml | 6 +++--- ...kerberos_pre_authentication_discovery_with_powerview.yml | 6 +++--- ...e_authentication_flag_disabled_in_useraccountcontrol.yml | 6 +++--- ...kerberos_service_ticket_request_using_rc4_encryption.yml | 6 +++--- .../endpoint/kerberos_tgt_request_using_rc4_encryption.yml | 6 +++--- detections/endpoint/kerberos_user_enumeration.yml | 6 +++--- detections/endpoint/linux_auditd_add_user_account_type.yml | 6 +++--- .../linux_auditd_database_file_and_directory_discovery.yml | 6 +++--- detections/endpoint/linux_auditd_find_private_keys.yml | 6 +++--- .../linux_auditd_hidden_files_and_directories_creation.yml | 6 +++--- ...nux_auditd_virtual_disk_file_and_directory_discovery.yml | 6 +++--- .../endpoint/malicious_powershell_executed_as_a_service.yml | 6 +++--- .../endpoint/randomly_generated_scheduled_task_name.yml | 6 +++--- .../endpoint/randomly_generated_windows_service_name.yml | 6 +++--- ...beus_kerberos_ticket_exports_through_winlogon_access.yml | 6 +++--- detections/endpoint/short_lived_scheduled_task.yml | 6 +++--- .../endpoint/suspicious_kerberos_service_ticket_request.yml | 6 +++--- .../endpoint/suspicious_ticket_granting_ticket_request.yml | 6 +++--- ...unusual_number_of_computer_service_tickets_requested.yml | 6 +++--- ...unusual_number_of_kerberos_service_tickets_requested.yml | 6 +++--- ...sual_number_of_remote_endpoint_authentication_events.yml | 6 +++--- ...dows_ad_serviceprincipalname_added_to_domain_account.yml | 6 +++--- ...s_ad_short_lived_domain_account_serviceprincipalname.yml | 6 +++--- .../endpoint/windows_ad_short_lived_server_object.yml | 6 +++--- .../endpoint/windows_ad_sid_history_attribute_modified.yml | 6 +++--- ...ows_administrative_shares_accessed_on_multiple_hosts.yml | 6 +++--- .../windows_admon_default_group_policy_object_modified.yml | 6 +++--- .../endpoint/windows_admon_group_policy_object_created.yml | 6 +++--- .../windows_default_group_policy_object_modified.yml | 6 +++--- detections/endpoint/windows_dnsadmins_new_member_added.yml | 6 +++--- .../windows_domain_admin_impersonation_indicator.yml | 6 +++--- .../windows_esx_admins_group_creation_security_event.yml | 6 +++--- ...ws_get_adcomputer_unconstrained_delegation_discovery.yml | 6 +++--- detections/endpoint/windows_group_policy_object_created.yml | 6 +++--- ...s_large_number_of_computer_service_tickets_requested.yml | 6 +++--- .../windows_local_administrator_credential_stuffing.yml | 4 ++-- .../endpoint/windows_multiple_account_passwords_changed.yml | 6 +++--- detections/endpoint/windows_multiple_accounts_deleted.yml | 6 +++--- detections/endpoint/windows_multiple_accounts_disabled.yml | 6 +++--- ...iple_invalid_users_failed_to_authenticate_using_ntlm.yml | 6 +++--- ...e_users_fail_to_authenticate_wth_explicitcredentials.yml | 6 +++--- ...le_users_failed_to_authenticate_from_host_using_ntlm.yml | 6 +++--- ...s_multiple_users_failed_to_authenticate_from_process.yml | 6 +++--- ...iple_users_remotely_failed_to_authenticate_from_host.yml | 6 +++--- detections/endpoint/windows_powersploit_gpp_discovery.yml | 6 +++--- ...windows_powerview_ad_access_control_list_enumeration.yml | 6 +++--- ...windows_service_created_with_suspicious_service_path.yml | 6 +++--- .../windows_special_privileged_logon_on_multiple_hosts.yml | 6 +++--- ...ual_count_of_invalid_users_failed_to_auth_using_ntlm.yml | 6 +++--- ..._count_of_users_fail_to_auth_wth_explicitcredentials.yml | 6 +++--- ...l_count_of_users_failed_to_authenticate_from_process.yml | 6 +++--- ...ual_count_of_users_failed_to_authenticate_using_ntlm.yml | 6 +++--- ...ual_count_of_users_remotely_failed_to_auth_from_host.yml | 6 +++--- 111 files changed, 330 insertions(+), 330 deletions(-) diff --git a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml index bf761654d3..ad1a3bb44c 100644 --- a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml @@ -1,7 +1,7 @@ name: Okta Multiple Failed MFA Requests For User id: 826dbaae-a1e6-4c8c-b384-d16898956e73 -version: 2 -date: '2024-05-20' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: - Okta @@ -14,7 +14,7 @@ description: The following analytic identifies multiple failed multi-factor auth MFA by bombarding the user with repeated authentication requests, a technique used by threat actors like Lapsus and APT29. If confirmed malicious, this could lead to unauthorized access, potentially compromising sensitive information and systems. -search: ' `okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE +search: '`okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) by _time src_user | where count diff --git a/detections/application/windows_ad_object_owner_updated.yml b/detections/application/windows_ad_object_owner_updated.yml index 3aca7ad031..4a897d670c 100644 --- a/detections/application/windows_ad_object_owner_updated.yml +++ b/detections/application/windows_ad_object_owner_updated.yml @@ -1,14 +1,14 @@ name: Windows AD Object Owner Updated id: 4af01f6b-d8d4-4f96-8635-758a01557130 -version: 1 -date: '2023-11-13' +version: 2 +date: '2024-09-24' author: Dean Luxton status: production type: TTP data_source: - Windows Security 5136 description: AD Object Owner Updated. The owner provides Full control level privileges over the target AD Object. This event has significant impact alone and is also a precursor activity for hiding an AD object. -search: ' `wineventlog_security` EventCode=5136 +search: '`wineventlog_security` EventCode=5136 | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId DSName | rex field=old_value "O:(?P.*?)G:" | rex field=new_value "O:(?P.*?)G:" diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index 48dbeea690..463c6f1389 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -1,7 +1,7 @@ name: ASL AWS Concurrent Sessions From Different Ips id: b3424bbe-3204-4469-887b-ec144483a336 -version: 3 -date: '2024-05-24' +version: 4 +date: '2024-09-24' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -15,7 +15,7 @@ description: The following analytic identifies an AWS IAM account with concurren to sensitive corporate resources, leading to potential data breaches or further exploitation. data_source: [] -search: ' `amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" +search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time identity.user.credential_uid identity.user.name diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 526f66fd1c..3dc9338f7b 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -1,7 +1,7 @@ name: ASL AWS New MFA Method Registered For User id: 33ae0931-2a03-456b-b1d7-b016c5557fbd -version: 3 -date: '2024-05-18' +version: 4 +date: '2024-09-24' author: Patrick Bareiss, Splunk status: experimental type: TTP @@ -14,7 +14,7 @@ description: The following analytic identifies the registration of a new Multi-F to secure their access, making it harder to detect and remove their presence from the compromised environment. data_source: [] -search: ' `amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | +search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml index 7ba859e18e..2c45ddc3fe 100644 --- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml @@ -1,7 +1,7 @@ name: AWS Concurrent Sessions From Different Ips id: 51c04fdb-2746-465a-b86e-b413a09c9085 -version: 2 -date: '2024-05-15' +version: 3 +date: '2024-09-24' author: Bhavin Patel, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic identifies an AWS IAM account with concurren exploitation within the AWS environment. data_source: - AWS CloudTrail DescribeEventAggregates -search: ' `cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal" +search: '`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal" | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter`' diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml index 2abb607440..f8b785bbbf 100644 --- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml @@ -1,7 +1,7 @@ name: AWS New MFA Method Registered For User id: 4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-09-24' author: Bhavin Patel, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects the registration of a new Multi-Fact potentially leading to further unauthorized activities and data breaches. data_source: - AWS CloudTrail CreateVirtualMFADevice -search: ' `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) +search: '`cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml index 7e324252e3..cee567d333 100644 --- a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml +++ b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml @@ -1,7 +1,7 @@ name: AWS Successful Console Authentication From Multiple IPs id: 395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb -version: 3 -date: '2024-05-26' +version: 4 +date: '2024-09-24' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -14,7 +14,7 @@ description: The following analytic detects an AWS account successfully authenti resources, leading to data breaches or further exploitation within the AWS environment. data_source: - AWS CloudTrail ConsoleLogin -search: ' `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) +search: '`cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`' how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This diff --git a/detections/cloud/aws_updateloginprofile.yml b/detections/cloud/aws_updateloginprofile.yml index 1ff20b3915..a89f609b9b 100644 --- a/detections/cloud/aws_updateloginprofile.yml +++ b/detections/cloud/aws_updateloginprofile.yml @@ -1,7 +1,7 @@ name: AWS UpdateLoginProfile id: 2a9b80d3-6a40-4115-11ad-212bf3d0d111 -version: 4 -date: '2024-05-17' +version: 5 +date: '2024-09-24' author: Bhavin Patel, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects an AWS CloudTrail event where a user resources within the AWS environment. data_source: - AWS CloudTrail UpdateLoginProfile -search: ' `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com +search: '`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml index 7f07462ef4..32530c76ee 100644 --- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml +++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml @@ -1,7 +1,7 @@ name: Azure Active Directory High Risk Sign-in id: 1ecff169-26d7-4161-9a7b-2ac4c8e61bea -version: 3 -date: '2024-05-22' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects high-risk sign-in attempts against A exploitation within the environment. data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high | +search: '`azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_active_directory_high_risk_sign_in_filter`' diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index f527f11123..590c62bdcc 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -1,7 +1,7 @@ name: Azure AD Application Administrator Role Assigned id: eac4de87-7a56-4538-a21b-277897af6d8d -version: 3 -date: '2024-05-15' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic identifies the assignment of the Application malicious, an attacker could escalate privileges, manage application settings, and potentially access sensitive resources by impersonating application identities, posing a significant security risk to the Azure AD tenant. -search: ' `azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application +search: '`azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml index 86627df216..bc598f1b1c 100644 --- a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml @@ -1,7 +1,7 @@ name: Azure AD Authentication Failed During MFA Challenge id: e62c9c2e-bf51-4719-906c-3074618fcc1c -version: 3 -date: '2024-05-18' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: 'The following analytic identifies failed authentication attempts a to unauthorized access and further compromise of the affected account.' data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 +search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, status.additionalDetails, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_authentication_failed_during_mfa_challenge_filter`' diff --git a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml index 2c5ac52377..8ca3daeb0d 100644 --- a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml @@ -1,7 +1,7 @@ name: Azure AD Concurrent Sessions From Different Ips id: a9126f73-9a9b-493d-96ec-0dd06695490d -version: 4 -date: '2024-08-05' +version: 5 +date: '2024-09-24' author: Mauricio Velazco, Bhavin Patel, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects an Azure AD account with concurrent information and potential data breaches. data_source: - Azure Active Directory -search: ' `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs action=success +search: '`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs action=success | rename properties.* as * | bucket span=5m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips dc(location.city) as dc_city values(location.city) as city values(src_ip) as src_ip values(appDisplayName) as appDisplayName values(location.countryOrRegion) by user _time diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml index 98b05d1f52..ed5bd22cbe 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml @@ -1,7 +1,7 @@ name: Azure AD High Number Of Failed Authentications For User id: 630b1694-210a-48ee-a450-6f79e7679f2c -version: 3 -date: '2024-05-29' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic identifies an Azure AD account experiencing based on their specific environment to reduce false positives. data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 +search: '`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(src_ip) as src_ip by user | where count > 20 | `security_content_ctime(firstTime)` diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml index b30ace6fc6..105088d9ba 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml @@ -1,7 +1,7 @@ name: Azure AD High Number Of Failed Authentications From Ip id: e5ab41bf-745d-4f72-a393-2611151afd8e -version: 4 -date: '2024-08-05' +version: 5 +date: '2024-09-24' author: Mauricio Velazco, Bhavin Patel, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects an IP address with 20 or more failed within the Azure environment. data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 +search: '`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip _time | where count > 20 | `security_content_ctime(firstTime)` diff --git a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml index e96759611d..6062b4008c 100644 --- a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml @@ -1,7 +1,7 @@ name: Azure AD Multi-Source Failed Authentications Spike id: 116e11a9-63ea-41eb-a66a-6a13bdc7d2c7 -version: 3 -date: '2024-05-14' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: Hunting @@ -16,7 +16,7 @@ description: The following analytic detects potential distributed password spray login attempts. If confirmed malicious, this could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization's infrastructure. -search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 +search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, diff --git a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml index 4c973afffd..b33ef97db5 100644 --- a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple AppIDs and UserAgents Authentication Spike id: 5d8bb1f0-f65a-4b4e-af2e-fcdb88276314 -version: 3 -date: '2024-05-26' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: Anomaly @@ -15,7 +15,7 @@ description: The following analytic detects unusual authentication activity in A If confirmed malicious, it suggests a compromised account, potentially leading to further exploitation, lateral movement, and data exfiltration. Early detection is crucial to prevent substantial harm. -search: ' `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" +search: '`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" (properties.authenticationRequirement="multiFactorAuthentication" AND properties.status.additionalDetails="MFA required in Azure AD") OR (properties.authenticationRequirement=singleFactorAuthentication AND "properties.authenticationDetails{}.succeeded"=true) | bucket span=5m _time diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index e56b196c40..fccdb81d79 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple Failed MFA Requests For User id: 264ea131-ab1f-41b8-90e0-33ad1a1888ea -version: 4 -date: '2024-05-20' +version: 5 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic identifies multiple failed multi-factor auth within the environment. data_source: - Azure Active Directory Sign-in activity -search: ' `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" +search: '`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" properties.status.errorCode=500121 properties.status.additionalDetails!="MFA denied; user declined the authentication" | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml index 407709ae8c..c3e0ed30e6 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple Service Principals Created by SP id: 66cb378f-234d-4fe1-bb4c-e7878ff6b017 -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Add service principal @@ -15,7 +15,7 @@ description: The following analytic detects when a single service principal in A establish multiple service principals, potentially staging an attack. If confirmed malicious, this activity could facilitate network infiltration or expansion, allowing the attacker to gain unauthorized access and persist within the environment. -search: ' `azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.app.appId=* +search: '`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.app.appId=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | rename initiatedBy.app.displayName as src_user | stats min(_time) as firstTime max(_time) as lastTime values(displayName) diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml index bb71615da5..cabd3d5f12 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple Service Principals Created by User id: 32880707-f512-414e-bd7f-204c0c85b758 -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Add service principal @@ -15,7 +15,7 @@ description: The following analytic identifies instances where a single user cre an attack or expand their foothold within the network. If confirmed malicious, this activity could allow attackers to establish persistence, escalate privileges, or access sensitive information within the Azure environment. -search: ' `azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* +search: '`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index 3b4582fc2e..32c61134bd 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple Users Failing To Authenticate From Ip id: 94481a6a-8f59-4c86-957f-55a71e3612a6 -version: 3 -date: '2024-05-13' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -14,7 +14,7 @@ description: 'The following analytic detects a single source IP failing to authe access, data breaches, or privilege escalation within the Azure AD environment.' data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 +search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip | where unique_accounts diff --git a/detections/cloud/azure_ad_new_custom_domain_added.yml b/detections/cloud/azure_ad_new_custom_domain_added.yml index 9699b2bed5..7476d918a4 100644 --- a/detections/cloud/azure_ad_new_custom_domain_added.yml +++ b/detections/cloud/azure_ad_new_custom_domain_added.yml @@ -1,7 +1,7 @@ name: Azure AD New Custom Domain Added id: 30c47f45-dd6a-4720-9963-0bca6c8686ef -version: 3 -date: '2024-05-14' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the addition of a new custom domain posing a severe security risk. data_source: - Azure Active Directory Add unverified domain -search: ' `azure_monitor_aad` operationName="Add unverified domain" properties.result=success +search: '`azure_monitor_aad` operationName="Add unverified domain" properties.result=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/cloud/azure_ad_new_federated_domain_added.yml b/detections/cloud/azure_ad_new_federated_domain_added.yml index a0b3cad525..15b462b26e 100644 --- a/detections/cloud/azure_ad_new_federated_domain_added.yml +++ b/detections/cloud/azure_ad_new_federated_domain_added.yml @@ -1,7 +1,7 @@ name: Azure AD New Federated Domain Added id: a87cd633-076d-4ab2-9047-977751a3c1a0 -version: 3 -date: '2024-05-28' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects the addition of a new federated doma leading to unauthorized access and control over the Azure AD environment. data_source: - Azure Active Directory Set domain authentication -search: ' `azure_monitor_aad` operationName="Set domain authentication" "properties.result"=success +search: '`azure_monitor_aad` operationName="Set domain authentication" "properties.result"=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml index e0e0bd3bc5..e228d70705 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml @@ -1,7 +1,7 @@ name: Azure AD New MFA Method Registered For User id: 2628b087-4189-403f-9044-87403f777a1b -version: 3 -date: '2024-05-29' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects the registration of a new Multi-Fact escalate their privileges within the environment. data_source: - Azure Active Directory User registered security info -search: ' `azure_monitor_aad` category=AuditLogs operationName="User registered security +search: '`azure_monitor_aad` category=AuditLogs operationName="User registered security info" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, result, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/cloud/azure_ad_pim_role_assigned.yml b/detections/cloud/azure_ad_pim_role_assigned.yml index 6d4ea20cdb..9e5533d660 100644 --- a/detections/cloud/azure_ad_pim_role_assigned.yml +++ b/detections/cloud/azure_ad_pim_role_assigned.yml @@ -1,7 +1,7 @@ name: Azure AD PIM Role Assigned id: fcd6dfeb-191c-46a0-a29c-c306382145ab -version: 3 -date: '2024-05-14' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects the assignment of an Azure AD Privil monitored to prevent unauthorized access. If confirmed malicious, an attacker could exploit this to gain privileged access, potentially leading to unauthorized actions, data breaches, or further compromise of the environment. -search: ' `azure_monitor_aad` operationName="Add eligible member to role in PIM completed*" +search: '`azure_monitor_aad` operationName="Add eligible member to role in PIM completed*" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by result, operationName, initiatedBy.user.displayName | `security_content_ctime(firstTime)` diff --git a/detections/cloud/azure_ad_pim_role_assignment_activated.yml b/detections/cloud/azure_ad_pim_role_assignment_activated.yml index e87d24a8b2..e4798550c4 100644 --- a/detections/cloud/azure_ad_pim_role_assignment_activated.yml +++ b/detections/cloud/azure_ad_pim_role_assignment_activated.yml @@ -1,7 +1,7 @@ name: Azure AD PIM Role Assignment Activated id: 952e80d0-e343-439b-83f4-808c3e6fbf2e -version: 4 -date: '2024-05-25' +version: 5 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the activation of an Azure AD Privil attempting to gain privileged access. If confirmed malicious, this could lead to unauthorized administrative actions, data breaches, or further compromise of the Azure environment. -search: ' `azure_monitor_aad` operationName="Add member to role completed (PIM activation)" +search: '`azure_monitor_aad` operationName="Add member to role completed (PIM activation)" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by initiatedBy, result, operationName diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index f0c6deb71a..00dc30bcf2 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -1,7 +1,7 @@ name: Azure AD Privileged Authentication Administrator Role Assigned id: a7da845d-6fae-41cf-b823-6c0b8c55814a -version: 3 -date: '2024-05-20' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the assignment of the Privileged Aut an attacker could change credentials and assume the identity and permissions of high-privilege users, potentially leading to unauthorized access to sensitive information and critical configurations. -search: ' `azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged +search: '`azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 841b4c60f5..b45e741f5c 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -1,7 +1,7 @@ name: Azure AD Privileged Role Assigned id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a -version: 3 -date: '2024-05-29' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects the assignment of privileged Azure A over the Azure AD infrastructure. data_source: - Azure Active Directory Add member to role -search: ' `azure_monitor_aad` "operationName"="Add member to role" | rename properties.* as * +search: '`azure_monitor_aad` "operationName"="Add member to role" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) diff --git a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml index 3022a4b9fd..e9bce48276 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml @@ -1,7 +1,7 @@ name: Azure AD Privileged Role Assigned to Service Principal id: 5dfaa3d3-e2e4-4053-8252-16d9ee528c41 -version: 3 -date: '2024-05-31' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: "The following analytic detects the assignment of privileged roles and ensures the security of Azure environments." data_source: - Azure Active Directory Add member to role -search: ' `azure_monitor_aad` operationName="Add member to role" +search: '`azure_monitor_aad` operationName="Add member to role" | rename properties.* as * | search "targetResources{}.type"=ServicePrincipal | rename initiatedBy.user.userPrincipalName as initiatedBy diff --git a/detections/cloud/azure_ad_service_principal_authentication.yml b/detections/cloud/azure_ad_service_principal_authentication.yml index e357d5d3cb..d31852b954 100644 --- a/detections/cloud/azure_ad_service_principal_authentication.yml +++ b/detections/cloud/azure_ad_service_principal_authentication.yml @@ -1,7 +1,7 @@ name: Azure AD Service Principal Authentication id: 5a2ec401-60bb-474e-b936-1e66e7aa4060 -version: 2 -date: '2024-05-21' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Sign-in activity @@ -16,7 +16,7 @@ description: The following analytic identifies authentication events of service or malicious activities. If confirmed malicious, attackers could gain unauthorized access to resources, leading to data breaches or further exploitation within the environment. -search: ' `azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs +search: '`azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs | rename properties.* as * | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_authentication_filter`' diff --git a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml index 99e48bd36c..f54cbe9402 100644 --- a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml +++ b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml @@ -1,7 +1,7 @@ name: Azure AD Service Principal New Client Credentials id: e3adc0d3-9e4b-4b5d-b662-12cec1adff2a -version: 3 -date: '2024-05-11' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the addition of new credentials to S access and control over the Azure environment. data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=AuditLogs operationName="Update application*Certificates +search: '`azure_monitor_aad` category=AuditLogs operationName="Update application*Certificates and secrets management " | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)` diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml index 104b919d26..dcbba32665 100644 --- a/detections/cloud/azure_ad_service_principal_owner_added.yml +++ b/detections/cloud/azure_ad_service_principal_owner_added.yml @@ -1,7 +1,7 @@ name: Azure AD Service Principal Owner Added id: 7ddf2084-6cf3-4a44-be83-474f7b73c701 -version: 4 -date: '2024-05-28' +version: 5 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the addition of a new owner to a Ser leading to unauthorized access and control over critical resources. data_source: - Azure Active Directory Add owner to application -search: ' `azure_monitor_aad` operationName="Add owner to application" | rename properties.* +search: '`azure_monitor_aad` operationName="Add owner to application" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats diff --git a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml index 01ce2310b9..00ecb20323 100644 --- a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml +++ b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml @@ -1,7 +1,7 @@ name: Azure AD Successful Authentication From Different Ips id: be6d868d-33b6-4aaa-912e-724fb555b11a -version: 4 -date: '2024-05-26' +version: 5 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects an Azure AD account successfully aut resources, leading to data breaches or further exploitation within the network. data_source: - Azure Active Directory -search: ' `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs +search: '`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/cloud/azure_ad_successful_powershell_authentication.yml b/detections/cloud/azure_ad_successful_powershell_authentication.yml index eeb37fcfc7..a1db7ea2a4 100644 --- a/detections/cloud/azure_ad_successful_powershell_authentication.yml +++ b/detections/cloud/azure_ad_successful_powershell_authentication.yml @@ -1,7 +1,7 @@ name: Azure AD Successful PowerShell Authentication id: 62f10052-d7b3-4e48-b57b-56f8e3ac7ceb -version: 3 -date: '2024-05-24' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic identifies a successful authentication event or further exploitation within the Azure environment. data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true +search: '`azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName="Microsoft Azure PowerShell" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/cloud/azure_ad_successful_single_factor_authentication.yml b/detections/cloud/azure_ad_successful_single_factor_authentication.yml index dd84988f4c..6551e60b7b 100644 --- a/detections/cloud/azure_ad_successful_single_factor_authentication.yml +++ b/detections/cloud/azure_ad_successful_single_factor_authentication.yml @@ -1,7 +1,7 @@ name: Azure AD Successful Single-Factor Authentication id: a560e7f6-1711-4353-885b-40be53101fcd -version: 3 -date: '2024-05-23' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic identifies a successful single-factor authen or further exploitation within the environment. data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication +search: '`azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`' diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index c6061000f6..942076c52e 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -1,7 +1,7 @@ name: Azure AD Unusual Number of Failed Authentications From Ip id: 3d8d3a36-93b8-42d7-8d91-c5f24cec223d -version: 3 -date: '2024-05-15' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -15,7 +15,7 @@ description: 'The following analytic identifies a single source IP failing to au compromise of sensitive information.' data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 +search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, diff --git a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml index 3d0fd1b1a6..f1f3a89a53 100644 --- a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml @@ -1,7 +1,7 @@ name: Azure AD User Consent Denied for OAuth Application id: bb093c30-d860-4858-a56e-cd0895d5b49c -version: 3 -date: '2024-05-18' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -16,7 +16,7 @@ description: The following analytic identifies instances where a user has denied to gain access, potentially leading to data breaches or unauthorized actions within the environment. Understanding these denials helps refine security policies and enhance user awareness. -search: ' `azure_monitor_aad` operationName="Sign-in activity" properties.status.errorCode=65004 +search: '`azure_monitor_aad` operationName="Sign-in activity" properties.status.errorCode=65004 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, appDisplayName, status.failureReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_denied_for_oauth_application_filter`' diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index 6827fe05be..091f520e31 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -1,7 +1,7 @@ name: Azure AD User Enabled And Password Reset id: 1347b9e8-2daa-4a6f-be73-b421d3d9e268 -version: 3 -date: '2024-05-26' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -16,7 +16,7 @@ data_source: - Azure Active Directory Enable account - Azure Active Directory Reset password (by admin) - Azure Active Directory Update user -search: ' `azure_monitor_aad` (operationName="Enable account" OR operationName="Reset +search: '`azure_monitor_aad` (operationName="Enable account" OR operationName="Reset password (by admin)" OR operationName="Update user") | transaction user startsWith=(operationName="Enable account") endsWith=(operationName="Reset password (by admin)") maxspan=2m | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml index 4d389d1b08..3cf498c2a7 100644 --- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml +++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml @@ -1,7 +1,7 @@ name: Azure AD User ImmutableId Attribute Updated id: 0c0badad-4536-4a84-a561-5ff760f3c00e -version: 2 -date: '2024-05-24' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic identifies the modification of the SourceAnc breaches. data_source: - Azure Active Directory Update user -search: ' `azure_monitor_aad` operationName="Update user" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor +search: '`azure_monitor_aad` operationName="Update user" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user diff --git a/detections/cloud/azure_automation_account_created.yml b/detections/cloud/azure_automation_account_created.yml index af5fb1430f..06724a1f5c 100644 --- a/detections/cloud/azure_automation_account_created.yml +++ b/detections/cloud/azure_automation_account_created.yml @@ -1,7 +1,7 @@ name: Azure Automation Account Created id: 860902fd-2e76-46b3-b050-ba548dab576c -version: 3 -date: '2024-05-24' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the creation of a new Azure Automati on virtual machines, posing a significant security risk. data_source: - Azure Audit Create or Update an Azure Automation account -search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation +search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation account" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime values(object) as object by user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` diff --git a/detections/cloud/azure_automation_runbook_created.yml b/detections/cloud/azure_automation_runbook_created.yml index 3c1cfeb265..da00e5e44a 100644 --- a/detections/cloud/azure_automation_runbook_created.yml +++ b/detections/cloud/azure_automation_runbook_created.yml @@ -1,7 +1,7 @@ name: Azure Automation Runbook Created id: 178d696d-6dc6-4ee8-9d25-93fee34eaf5b -version: 3 -date: '2024-05-11' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the creation of a new Azure Automati environment. data_source: - Azure Audit Create or Update an Azure Automation Runbook -search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation +search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation Runbook" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path diff --git a/detections/cloud/azure_runbook_webhook_created.yml b/detections/cloud/azure_runbook_webhook_created.yml index 28fc9c5694..810ec1551e 100644 --- a/detections/cloud/azure_runbook_webhook_created.yml +++ b/detections/cloud/azure_runbook_webhook_created.yml @@ -1,7 +1,7 @@ name: Azure Runbook Webhook Created id: e98944a9-92e4-443c-81b8-a322e33ce75a -version: 4 -date: '2024-05-23' +version: 5 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the creation of a new Automation Run control over Azure resources. data_source: - Azure Audit Create or Update an Azure Automation webhook -search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation +search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation webhook" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` diff --git a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml index 2b04cfc1b8..64dce25410 100644 --- a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml @@ -1,7 +1,7 @@ name: GCP Authentication Failed During MFA Challenge id: 345f7e1d-a3fe-4158-abd8-e630f9878323 -version: 3 -date: '2024-05-11' +version: 4 +date: '2024-09-24' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: 'The following analytic detects failed authentication attempts duri GCP environment.' data_source: - Google Workspace login_failure -search: ' `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats +search: '`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method | `gcp_authentication_failed_during_mfa_challenge_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Google diff --git a/detections/cloud/o365_compliance_content_search_exported.yml b/detections/cloud/o365_compliance_content_search_exported.yml index 2103c7707a..8c2dae55e4 100644 --- a/detections/cloud/o365_compliance_content_search_exported.yml +++ b/detections/cloud/o365_compliance_content_search_exported.yml @@ -1,7 +1,7 @@ name: O365 Compliance Content Search Exported id: 2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8 -version: 2 -date: '2024-05-24' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: [] type: TTP @@ -14,7 +14,7 @@ description: The following analytic identifies when the results of a content sea If confirmed malicious, an attacker could gain access to and exfiltrate sensitive information, posing a severe risk to the organization's data security and compliance posture. -search: ' `o365_management_activity` Workload=SecurityComplianceCenter Operation="SearchExported" +search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation="SearchExported" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_exported_filter`' diff --git a/detections/cloud/o365_compliance_content_search_started.yml b/detections/cloud/o365_compliance_content_search_started.yml index 28eeaca71b..7f59413151 100644 --- a/detections/cloud/o365_compliance_content_search_started.yml +++ b/detections/cloud/o365_compliance_content_search_started.yml @@ -1,7 +1,7 @@ name: O365 Compliance Content Search Started id: f4cabbc7-c19a-4e41-8be5-98daeaccbb50 -version: 2 -date: '2024-05-15' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: [] type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects when a content search is initiated w unauthorized data access, potential data exfiltration, and compliance violations. Monitoring this behavior helps ensure the integrity and security of organizational data. -search: ' `o365_management_activity` Workload=SecurityComplianceCenter Operation=SearchCreated +search: '`o365_management_activity` Workload=SecurityComplianceCenter Operation=SearchCreated | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_started_filter`' diff --git a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml index 94efdef9cd..607c4a5638 100644 --- a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml @@ -1,7 +1,7 @@ name: O365 Concurrent Sessions From Different Ips id: 58e034de-1f87-4812-9dc3-a4f68c7db930 -version: 2 -date: '2024-05-27' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic identifies user sessions in Office 365 acces posing severe risks to organizational security. data_source: - O365 UserLoggedIn -search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn | stats min(_time) as firstTime max(_time) as lastTime values(src_ip) as ips values(user_agent) as user_agents by Operation, user, SessionId | where mvcount(ips) > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_concurrent_sessions_from_different_ips_filter`' diff --git a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml index b2c1c243e6..7b3f38d482 100644 --- a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml +++ b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml @@ -1,7 +1,7 @@ name: O365 Elevated Mailbox Permission Assigned id: 2246c142-a678-45f8-8546-aaed7e0efd30 -version: 2 -date: '2024-05-15' +version: 3 +date: '2024-09-24' author: Patrick Bareiss, Mauricio Velazco, Splunk data_source: [] type: TTP @@ -14,7 +14,7 @@ description: The following analytic identifies the assignment of elevated mailbo over mailboxes, which could lead to data exfiltration or privilege escalation. If confirmed malicious, attackers could gain extensive access to sensitive email data and potentially manipulate mailbox settings, posing a severe security risk. -search: ' `o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission +search: '`o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission | search (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner) | rename Identity AS dest_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by user dest_user Operation AccessRights |`security_content_ctime(firstTime)` diff --git a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml index e684d23e4c..d832e04b16 100644 --- a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml @@ -1,7 +1,7 @@ name: O365 High Number Of Failed Authentications for User id: 31641378-2fa9-42b1-948e-25e281cb98f7 -version: 2 -date: '2024-05-16' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic identifies an O365 account experiencing more access to the O365 environment, potentially compromising sensitive emails, documents, and other data. Prompt investigation and action are crucial to prevent unauthorized access and data breaches. -search: ' `o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon +search: '`o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon Workload=AzureActiveDirectory | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip by user, _time | where failed_attempts > 10 | `o365_high_number_of_failed_authentications_for_user_filter`' how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest diff --git a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml index 7d13aaa76c..79ddbd6caf 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml @@ -1,7 +1,7 @@ name: O365 Mailbox Folder Read Permission Granted id: cd15c0a8-470e-4b12-9517-046e4927db30 -version: 2 -date: '2024-05-25' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: [] type: TTP @@ -14,7 +14,7 @@ description: The following analytic identifies instances where read permissions exposing sensitive email content. If confirmed malicious, an attacker could gain unauthorized access to read email communications, leading to data breaches or information leakage. -search: ' `o365_management_activity` Workload=Exchange (Operation="Set-MailboxFolderPermission" +search: '`o365_management_activity` Workload=Exchange (Operation="Set-MailboxFolderPermission" OR Operation="Add-MailboxFolderPermission" ) | eval isReadRole=if(match(AccessRights, "^(ReadItems|Author|NonEditingAuthor|Owner|PublishingAuthor|Reviewer)$"), "true", "false") | search isReadRole="true" | rename UserId as user | stats count earliest(_time) diff --git a/detections/cloud/o365_multi_source_failed_authentications_spike.yml b/detections/cloud/o365_multi_source_failed_authentications_spike.yml index 2972dea980..24ca434034 100644 --- a/detections/cloud/o365_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/o365_multi_source_failed_authentications_spike.yml @@ -1,7 +1,7 @@ name: O365 Multi-Source Failed Authentications Spike id: ea4e2c41-dbfb-4f5f-a7b6-9ac1b7f104aa -version: 2 -date: '2024-05-31' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: Hunting @@ -15,7 +15,7 @@ description: The following analytic identifies a spike in failed authentication If confirmed malicious, this activity could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization. Early detection is crucial to prevent account takeovers and mitigate subsequent threats. -search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) diff --git a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml index 6dac7c57d2..7ef73fb256 100644 --- a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml @@ -1,7 +1,7 @@ name: O365 Multiple AppIDs and UserAgents Authentication Spike id: 66adc486-224d-45c1-8e4d-9e7eeaba988f -version: 2 -date: '2024-05-12' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: Anomaly @@ -17,7 +17,7 @@ description: The following analytic identifies unusual authentication activity i it suggests a compromised account, potentially leading to unauthorized access, privilege escalation, and data exfiltration. Early detection is crucial to prevent further exploitation. -search: ' `o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn +search: '`o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed) | bucket span=5m _time | stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) by _time user src_ip | where failed_attempts > 5 and unique_user_agents diff --git a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml index 778080e17c..619be6ddcf 100644 --- a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml @@ -1,7 +1,7 @@ name: O365 Multiple Failed MFA Requests For User id: fd22124e-dbac-4744-a8ce-be10d8ec3e26 -version: 2 -date: '2024-05-26' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -16,7 +16,7 @@ description: The following analytic identifies potential "MFA fatigue" attacks t requests. If confirmed malicious, this could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation is crucial. -search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121 | bucket span=10m _time | stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time | where mfa_prompts > 9 | `o365_multiple_failed_mfa_requests_for_user_filter`' diff --git a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml index 4ade3a6007..1fe3468af4 100644 --- a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml +++ b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml @@ -16,7 +16,7 @@ description: The following analytic detects when a high number of Office 365 Exc information, leading to data breaches and further exploitation of compromised accounts. The threshold is set to flag over five unique mailboxes accessed within 10 minutes, but should be tailored to your environment. -search: ' `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed +search: '`o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | bucket span=10m _time | eval matchRegex=if(match(ClientInfoString, "^Client=WebServices;ExchangeWebServices"), 1, 0) | search (AppId="00000003-0000-0000-c000-000000000000" OR matchRegex=1) | stats values(ClientIPAddress) as src_ip dc(user) as unique_mailboxes diff --git a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml index b8f4cbcd51..de7fe875c6 100644 --- a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: O365 Multiple Users Failing To Authenticate From Ip id: 8d486e2e-3235-4cfe-ac35-0d042e24ecb4 -version: 3 -date: '2024-05-23' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -16,7 +16,7 @@ description: The following analytic identifies instances where more than 10 uniq multiple accounts, potentially leading to unauthorized access. Immediate action is required to block or monitor the suspicious IP and notify affected users to enhance their security measures. -search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | stats dc(user) as unique_accounts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where unique_accounts > 10 | `o365_multiple_users_failing_to_authenticate_from_ip_filter`' diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml index 7f866b4325..e0269e70fe 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml @@ -1,7 +1,7 @@ name: O365 OAuth App Mailbox Access via EWS id: e600cf1a-0bef-4426-b42e-00176d610a4d -version: 2 -date: '2024-05-14' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production data_source: @@ -15,7 +15,7 @@ description: The following analytic detects when emails are accessed in Office 3 emails through EWS is crucial for identifying potential abuse or unauthorized data access. If confirmed malicious, this activity could lead to unauthorized email access, data exfiltration, or further compromise of sensitive information. -search: ' `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed +search: '`o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | regex ClientInfoString="^Client=WebServices;ExchangeWebServices" | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) as src_ip by user ClientAppId OperationCount AppId ClientInfoString | `security_content_ctime(firstTime)` diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml index bd66c03848..f3604b1e93 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml @@ -1,7 +1,7 @@ name: O365 OAuth App Mailbox Access via Graph API id: 9db0d5b0-4058-4cb7-baaf-77d8143539a2 -version: 2 -date: '2024-05-18' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production data_source: @@ -14,7 +14,7 @@ description: The following analytic detects when emails are accessed in Office 3 access to emails can lead to data breaches and information theft. If confirmed malicious, attackers could exfiltrate sensitive information, compromise user accounts, and further infiltrate the organization’s network. -search: ' `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed +search: '`o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* AppId=00000003-0000-0000-c000-000000000000 | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) by user ClientAppId OperationCount AppId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/cloud/o365_security_and_compliance_alert_triggered.yml b/detections/cloud/o365_security_and_compliance_alert_triggered.yml index 814038f5f3..53024673f2 100644 --- a/detections/cloud/o365_security_and_compliance_alert_triggered.yml +++ b/detections/cloud/o365_security_and_compliance_alert_triggered.yml @@ -1,7 +1,7 @@ name: O365 Security And Compliance Alert Triggered id: 5b367cdd-8dfc-49ac-a9b7-6406cf27f33e -version: 2 -date: '2024-05-09' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: [] type: TTP @@ -15,7 +15,7 @@ description: The following analytic identifies alerts triggered by the Office 36 If confirmed malicious, these alerts could indicate attempts to breach security policies, leading to unauthorized access, data exfiltration, or other malicious activities. -search: ' `o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement +search: '`o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement Operation=AlertTriggered | spath input=Data path=f3u output=user | spath input=Data path=op output=operation | spath input=_raw path=wl | spath input=Data path=rid output=rule_id | spath input=Data path=ad output=alert_description | spath input=Data diff --git a/detections/cloud/o365_service_principal_new_client_credentials.yml b/detections/cloud/o365_service_principal_new_client_credentials.yml index 4dd03b4f3c..c849dacae6 100644 --- a/detections/cloud/o365_service_principal_new_client_credentials.yml +++ b/detections/cloud/o365_service_principal_new_client_credentials.yml @@ -1,7 +1,7 @@ name: O365 Service Principal New Client Credentials id: a1b229e9-d962-4222-8c62-905a8a010453 -version: 2 -date: '2024-05-12' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the addition of new credentials for operations under the application's identity. data_source: - O365 -search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation="Update +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application*Certificates and secrets management " | stats earliest(_time) as firstTime latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_service_principal_new_client_credentials_filter`' diff --git a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml index f38efad892..a488b0aa92 100644 --- a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml @@ -1,7 +1,7 @@ name: O365 User Consent Denied for OAuth Application id: 2d8679ef-b075-46be-8059-c25116cb1072 -version: 2 -date: '2024-05-22' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -16,7 +16,7 @@ description: The following analytic identifies instances where a user has denied or unfamiliar applications. If confirmed malicious, it suggests an attempt by a potentially harmful application to gain unauthorized access, which was proactively blocked by the user. -search: ' `o365_graph` status.errorCode=65004 | rename userPrincipalName as user | +search: '`o365_graph` status.errorCode=65004 | rename userPrincipalName as user | rename ipAddress as src_ip | stats max(_time) as lastTime by user src_ip appDisplayName status.failureReason | `security_content_ctime(lastTime)` | `o365_user_consent_denied_for_oauth_application_filter`' how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml index 8aeb4e05b9..030d6bde72 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml @@ -1,7 +1,7 @@ name: Disabled Kerberos Pre-Authentication Discovery With Get-ADUser id: 114c6bfe-9406-11ec-bcce-acde48001122 -version: 3 -date: '2024-05-29' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the execution of the `Get-ADUser` Po privileges within the network. data_source: - Powershell Script Block Logging 4104 -search: ' `powershell` EventCode=4104 (ScriptBlockText = "*Get-ADUser*" AND ScriptBlockText="*4194304*") +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-ADUser*" AND ScriptBlockText="*4194304*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`' diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml index ffc44e5bce..fcee15da6f 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml @@ -1,7 +1,7 @@ name: Disabled Kerberos Pre-Authentication Discovery With PowerView id: b0b34e2c-90de-11ec-baeb-acde48001122 -version: 3 -date: '2024-05-12' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the execution of the `Get-DomainUser privileges within the network. data_source: - Powershell Script Block Logging 4104 -search: ' `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainUser*" AND ScriptBlockText="*PreauthNotRequired*") +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainUser*" AND ScriptBlockText="*PreauthNotRequired*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`' diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml index a242036c87..d61ace905e 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml @@ -1,7 +1,7 @@ name: Kerberos Pre-Authentication Flag Disabled in UserAccountControl id: 0cb847ee-9423-11ec-b2df-acde48001122 -version: 2 -date: '2024-05-24' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects when the Kerberos Pre-Authentication of sensitive information. data_source: - Windows Event Log Security 4738 -search: ' `wineventlog_security` EventCode=4738 MSADChangedAttributes="*Don''t Require +search: '`wineventlog_security` EventCode=4738 MSADChangedAttributes="*Don''t Require Preauth'' - Enabled*" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml index f361a4b6fc..dc7fe37fe8 100644 --- a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml @@ -1,7 +1,7 @@ name: Kerberos Service Ticket Request Using RC4 Encryption id: 7d90f334-a482-11ec-908c-acde48001122 -version: 3 -date: '2024-05-27' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -16,7 +16,7 @@ description: 'The following analytic detects Kerberos service ticket requests us key instead of the NTLM hash.' data_source: - Windows Event Log Security 4769 -search: ' `wineventlog_security` EventCode=4769 ServiceName="*$" (TicketOptions=0x40810000 +search: '`wineventlog_security` EventCode=4769 ServiceName="*$" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, TicketEncryptionType, TicketOptions | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` diff --git a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml index 31815fd33b..1150a6a476 100644 --- a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml @@ -1,7 +1,7 @@ name: Kerberos TGT Request Using RC4 Encryption id: 18916468-9c04-11ec-bdc6-acde48001122 -version: 3 -date: '2024-05-27' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects a Kerberos Ticket Granting Ticket (T potentially leading to lateral movement and further compromise within the network. data_source: - Windows Event Log Security 4768 -search: ' `wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$ +search: '`wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$ | stats count min(_time) as firstTime max(_time) as lastTime by ServiceName src_ip dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_tgt_request_using_rc4_encryption_filter`' diff --git a/detections/endpoint/kerberos_user_enumeration.yml b/detections/endpoint/kerberos_user_enumeration.yml index 9fd94aa879..564a7efc4b 100644 --- a/detections/endpoint/kerberos_user_enumeration.yml +++ b/detections/endpoint/kerberos_user_enumeration.yml @@ -1,7 +1,7 @@ name: Kerberos User Enumeration id: d82d4af4-a0bd-11ec-9445-3e22fbd008af -version: 3 -date: '2024-05-25' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: Anomaly @@ -14,7 +14,7 @@ description: The following analytic detects an unusual number of Kerberos Ticket or credential stuffing, compromising the security of the environment. data_source: - Windows Event Log Security 4768 -search: ' `wineventlog_security` EventCode=4768 Status=0x6 TargetUserName!="*$" | +search: '`wineventlog_security` EventCode=4768 Status=0x6 TargetUserName!="*$" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, src_ip | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by src_ip | eval upperBound=(comp_avg+comp_std*3) diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index 1b7d6b8f9f..97a1a61051 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -1,7 +1,7 @@ name: Linux Auditd Add User Account Type id: f8c325ea-506e-4105-8ccf-da1492e90115 -version: 1 -date: '2024-09-04' +version: 2 +date: '2024-09-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,7 +14,7 @@ description: The following analytic detects the suspicious add user account type early is essential to prevent potential security incidents. data_source: - Linux Auditd Add User -search: ' `linux_auditd` type=ADD_USER | rename hostname as dest| stats count min(_time) +search: '`linux_auditd` type=ADD_USER | rename hostname as dest| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_add_user_account_type_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index b6d0662dfe..8175f8478c 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -1,14 +1,14 @@ name: Linux Auditd Database File And Directory Discovery id: f616c4f3-bde9-41cf-856c-019b65f668bb -version: 1 -date: '2024-09-04' +version: 2 +date: '2024-09-24' author: Teoderick Contreras, Splunk status: production type: Anomaly description: "The following analytic detects suspicious database file and directory discovery activities, which may signal an attacker attempt to locate and assess critical database assets on a compromised system. This behavior is often a precursor to data theft, unauthorized access, or privilege escalation, as attackers seek to identify valuable information stored in databases. By monitoring for unusual or unauthorized attempts to locate database files and directories, this analytic aids in early detection of potential reconnaissance or data breach efforts, enabling security teams to respond swiftly and mitigate the risk of further compromise." data_source: - Linux Auditd Execve -search: ' `linux_auditd` `linux_auditd_normalized_execve_process` | rename host as +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.db%") OR LIKE (process_exec, "%.sql%") OR LIKE (process_exec, "%.sqlite%") OR LIKE (process_exec, "%.mdb%")OR LIKE (process_exec, "%.accdb%")OR diff --git a/detections/endpoint/linux_auditd_find_private_keys.yml b/detections/endpoint/linux_auditd_find_private_keys.yml index 9ff566aa84..fd9f84d828 100644 --- a/detections/endpoint/linux_auditd_find_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_private_keys.yml @@ -1,14 +1,14 @@ name: Linux Auditd Find Private Keys id: 80bb9988-190b-4ee0-a3c3-509545a8f678 -version: 1 -date: '2024-09-04' +version: 2 +date: '2024-09-24' author: Teoderick Contreras, Splunk status: production type: TTP description: "The following analytic detects suspicious attempts to find private keys, which may indicate an attacker's effort to access sensitive cryptographic information. Private keys are crucial for securing encrypted communications and data, and unauthorized access to them can lead to severe security breaches, including data decryption and identity theft. By monitoring for unusual or unauthorized searches for private keys, this analytic helps identify potential threats to cryptographic security, enabling security teams to take swift action to protect the integrity and confidentiality of encrypted information." data_source: - Linux Auditd Execve -search: ' `linux_auditd` `linux_auditd_normalized_execve_process` | rename host as +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index c8a07b3865..88cceee421 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -1,7 +1,7 @@ name: Linux Auditd Hidden Files And Directories Creation id: 555cc358-bf16-4e05-9b3a-0f89c73b7261 -version: 1 -date: '2024-09-04' +version: 2 +date: '2024-09-24' author: Teoderick Contreras, Splunk status: production type: TTP @@ -16,7 +16,7 @@ description: "The following analytic detects suspicious creation of hidden files and address hidden threats effectively." data_source: - Linux Auditd Execve -search: ' `linux_auditd` `linux_auditd_normalized_execve_process` | rename host as +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec,"%touch %") OR LIKE (process_exec,"%mkdir %")OR LIKE (process_exec,"%vim %") OR LIKE (process_exec,"%vi %") OR LIKE (process_exec,"%nano %")) AND (LIKE (process_exec,"% ./.%") OR LIKE (process_exec," .%")OR LIKE (process_exec," diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml index abd5c53579..e75e43f0aa 100644 --- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -1,14 +1,14 @@ name: Linux Auditd Virtual Disk File And Directory Discovery id: eec78cef-d4c8-4b35-8f5b-6922102a4a41 -version: 1 -date: '2024-09-04' +version: 2 +date: '2024-09-24' author: Teoderick Contreras, Splunk status: production type: Anomaly description: "The following analytic detects suspicious discovery of virtual disk files and directories, which may indicate an attacker's attempt to locate and access virtualized storage environments. Virtual disks can contain sensitive data or critical system configurations, and unauthorized discovery attempts could signify preparatory actions for data exfiltration or further compromise. By monitoring for unusual or unauthorized searches for virtual disk files and directories, this analytic helps identify potential reconnaissance activities, enabling security teams to respond promptly and safeguard against unauthorized access and data breaches." data_source: - Linux Auditd Execve -search: ' `linux_auditd` `linux_auditd_normalized_execve_process` | rename host as +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.vhd%") OR LIKE (process_exec, "%.vhdx%") OR LIKE (process_exec, "%.vmdk%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc diff --git a/detections/endpoint/malicious_powershell_executed_as_a_service.yml b/detections/endpoint/malicious_powershell_executed_as_a_service.yml index 57a0c7f994..c63eb30bb5 100644 --- a/detections/endpoint/malicious_powershell_executed_as_a_service.yml +++ b/detections/endpoint/malicious_powershell_executed_as_a_service.yml @@ -1,7 +1,7 @@ name: Malicious Powershell Executed As A Service id: 8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8 -version: 3 -date: '2024-05-20' +version: 4 +date: '2024-09-24' author: Ryan Becwar status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic identifies the execution of malicious PowerS persistence within the environment. data_source: - Windows Event Log System 7045 -search: ' `wineventlog_system` EventCode=7045 | eval l_ImagePath=lower(ImagePath) +search: '`wineventlog_system` EventCode=7045 | eval l_ImagePath=lower(ImagePath) | regex l_ImagePath="powershell[.\s]|powershell_ise[.\s]|pwsh[.\s]|psexec[.\s]" | regex l_ImagePath="-nop[rofile\s]+|-w[indowstyle]*\s+hid[den]*|-noe[xit\s]+|-enc[odedcommand\s]+" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath diff --git a/detections/endpoint/randomly_generated_scheduled_task_name.yml b/detections/endpoint/randomly_generated_scheduled_task_name.yml index ecb46d821e..d2a7bac01c 100644 --- a/detections/endpoint/randomly_generated_scheduled_task_name.yml +++ b/detections/endpoint/randomly_generated_scheduled_task_name.yml @@ -1,7 +1,7 @@ name: Randomly Generated Scheduled Task Name id: 9d22a780-5165-11ec-ad4f-3e22fbd008af -version: 2 -date: '2024-05-28' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: experimental type: Hunting @@ -15,7 +15,7 @@ description: The following analytic detects the creation of a Scheduled Task wit the network. data_source: - Windows Event Log Security 4698 -search: ' `wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup +search: '`wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/endpoint/randomly_generated_windows_service_name.yml b/detections/endpoint/randomly_generated_windows_service_name.yml index 7357fda8ea..c190f2454e 100644 --- a/detections/endpoint/randomly_generated_windows_service_name.yml +++ b/detections/endpoint/randomly_generated_windows_service_name.yml @@ -1,7 +1,7 @@ name: Randomly Generated Windows Service Name id: 2032a95a-5165-11ec-a2c3-3e22fbd008af -version: 3 -date: '2024-08-19' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: experimental type: Hunting @@ -14,7 +14,7 @@ description: The following analytic detects the installation of a Windows Servic arbitrary code, escalate privileges, or maintain persistence within the environment. data_source: - Windows Event Log System 7045 -search: ' `wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name +search: '`wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter`' how_to_implement: To successfully implement this search, you need to be ingesting diff --git a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml index bb376bc6b4..d83af91254 100644 --- a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml +++ b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml @@ -1,7 +1,7 @@ name: Rubeus Kerberos Ticket Exports Through Winlogon Access id: 5ed8c50a-8869-11ec-876f-acde48001122 -version: 3 -date: '2024-08-14' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects a process accessing the winlogon.exe and persist within the network, posing a severe security risk. data_source: - Sysmon EventID 10 -search: ' `sysmon` EventCode=10 TargetImage=C:\\Windows\\system32\\winlogon.exe (GrantedAccess=0x1f3fff) +search: '`sysmon` EventCode=10 TargetImage=C:\\Windows\\system32\\winlogon.exe (GrantedAccess=0x1f3fff) (SourceImage!=C:\\Windows\\system32\\svchost.exe AND SourceImage!=C:\\Windows\\system32\\lsass.exe AND SourceImage!=C:\\Windows\\system32\\LogonUI.exe AND SourceImage!=C:\\Windows\\system32\\smss.exe AND SourceImage!=C:\\Windows\\system32\\wbem\\wmiprvse.exe) | stats count min(_time) diff --git a/detections/endpoint/short_lived_scheduled_task.yml b/detections/endpoint/short_lived_scheduled_task.yml index 59415847fe..d426bafbbc 100644 --- a/detections/endpoint/short_lived_scheduled_task.yml +++ b/detections/endpoint/short_lived_scheduled_task.yml @@ -1,7 +1,7 @@ name: Short Lived Scheduled Task id: 6fa31414-546e-11ec-adfa-acde48001122 -version: 2 -date: '2024-05-17' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -16,7 +16,7 @@ description: 'The following analytic detects the creation and deletion of schedu data_source: - Windows Event Log Security 4698 - Windows Event Log Security 4699 -search: ' `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message +search: '`wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | rename ComputerName as dest| table _time, dest, Account_Name, Command, Task_Name, short_lived diff --git a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml index e1a1d54d94..4ca7f91c84 100644 --- a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml +++ b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml @@ -1,7 +1,7 @@ name: Suspicious Kerberos Service Ticket Request id: 8b1297bc-6204-11ec-b7c4-acde48001122 -version: 3 -date: '2024-05-16' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects suspicious Kerberos Service Ticket ( and unauthorized access to sensitive information. data_source: - Windows Event Log Security 4769 -search: ' `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(ServiceName) +search: '`wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(ServiceName) = lower(mvindex(split(TargetUserName,"@"),0)),1,0) | where isSuspicious = 1 | rename Computer as dest| rename TargetUserName as user | table _time, dest, src_ip, user, ServiceName, Error_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`' diff --git a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml index db115afd9d..0cd9789b59 100644 --- a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml +++ b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml @@ -1,7 +1,7 @@ name: Suspicious Ticket Granting Ticket Request id: d77d349e-6269-11ec-9cfe-acde48001122 -version: 3 -date: '2024-05-25' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: Hunting @@ -16,7 +16,7 @@ description: The following analytic detects suspicious Kerberos Ticket Granting data_source: - Windows Event Log Security 4768 - Windows Event Log Security 4781 -search: ' `wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") +search: '`wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") OR (EventCode=4768 TargetUserName!="*$") | eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName) | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) | eval short_lived=case((duration<2),"TRUE") | search diff --git a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml index 4f9f960d7e..0e1568ecae 100644 --- a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml @@ -1,7 +1,7 @@ name: Unusual Number of Computer Service Tickets Requested id: ac3b81c0-52f4-11ec-ac44-acde48001122 -version: 2 -date: '2024-05-25' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: experimental type: Hunting @@ -15,7 +15,7 @@ description: 'The following analytic identifies an unusual number of computer se exfiltration.' data_source: - Windows Event Log Security 4769 -search: ' `wineventlog_security` EventCode=4769 Service_Name="*$" Account_Name!="*$*" +search: '`wineventlog_security` EventCode=4769 Service_Name="*$" Account_Name!="*$*" | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml index 066ee5a7f2..4c667330df 100644 --- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml @@ -1,7 +1,7 @@ name: Unusual Number of Kerberos Service Tickets Requested id: eb3e6702-8936-11ec-98fe-acde48001122 -version: 3 -date: '2024-05-15' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: Anomaly @@ -14,7 +14,7 @@ description: 'The following analytic identifies an unusual number of Kerberos se to sensitive accounts and escalation of privileges within the Active Directory environment.' data_source: - Windows Event Log Security 4769 -search: ' `wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 +search: '`wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services by _time, src | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by src | eval upperBound=(comp_avg+comp_std*3) diff --git a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml index 1d25cdb3b5..5b27d6366a 100644 --- a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml +++ b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml @@ -1,7 +1,7 @@ name: Unusual Number of Remote Endpoint Authentication Events id: acb5dc74-5324-11ec-a36d-acde48001122 -version: 2 -date: '2024-05-11' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: experimental type: Hunting @@ -14,7 +14,7 @@ description: 'The following analytic identifies an unusual number of remote auth escalate privileges, or gather information for further attacks.' data_source: - Windows Event Log Security 4624 -search: ' `wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!="*$" | +search: '`wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!="*$" | eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml index e22a02f6f0..72bbe63729 100644 --- a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml +++ b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml @@ -1,7 +1,7 @@ name: Windows AD ServicePrincipalName Added To Domain Account id: 8a1259cb-0ea7-409c-8bfe-74bad89259f9 -version: 3 -date: '2024-05-22' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk type: TTP status: production @@ -14,7 +14,7 @@ description: The following analytic detects the addition of a Service Principal and crack service account passwords offline. If confirmed malicious, this could allow an attacker to obtain cleartext passwords, leading to unauthorized access and potential lateral movement within the domain environment. -search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName +search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType="%%14674" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest SubjectUserName as user | `windows_ad_serviceprincipalname_added_to_domain_account_filter`' diff --git a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml index 8d1a3b2fe9..459b86642a 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml @@ -1,7 +1,7 @@ name: Windows AD Short Lived Domain Account ServicePrincipalName id: b681977c-d90c-4efc-81a5-c58f945fb541 -version: 2 -date: '2024-05-18' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk type: TTP status: production @@ -15,7 +15,7 @@ description: The following analytic identifies the addition and quick deletion o of a domain account offline. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive information or escalate privileges within the domain environment. -search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName +search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType="%%14674") endswith=(EventCode=5136 OperationType="%%14675") | eval short_lived=case((duration<300),"TRUE") | search short_lived = TRUE | rename ObjectDN as user | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`' diff --git a/detections/endpoint/windows_ad_short_lived_server_object.yml b/detections/endpoint/windows_ad_short_lived_server_object.yml index 1aefbcaed6..6ed1baf315 100644 --- a/detections/endpoint/windows_ad_short_lived_server_object.yml +++ b/detections/endpoint/windows_ad_short_lived_server_object.yml @@ -1,7 +1,7 @@ name: Windows AD Short Lived Server Object id: 193769d3-1e33-43a9-970e-ad4a88256cdb -version: 2 -date: '2024-05-21' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk type: TTP status: production @@ -16,7 +16,7 @@ description: 'The following analytic identifies the creation and quick deletion rogue DC, enabling unauthorized changes to AD objects, including credentials. If confirmed malicious, this could lead to unauthorized AD modifications, compromising the integrity and security of the entire domain.' -search: ' `wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN="*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*" +search: '`wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN="*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*" | transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141) | eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | stats values(ObjectDN) values(signature) values(EventCode) by _time, Computer, SubjectUserName | `windows_ad_short_lived_server_object_filter`' diff --git a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml index c855fcc1d1..af065c26d3 100644 --- a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml +++ b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml @@ -1,7 +1,7 @@ name: Windows AD SID History Attribute Modified id: 1155e47d-307f-4247-beab-71071e3a458c -version: 2 -date: '2024-05-16' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk type: TTP status: production @@ -15,7 +15,7 @@ description: The following analytic detects modifications to the SID History att unauthorized access. If confirmed malicious, this activity could allow attackers to maintain persistent access and escalate privileges within the domain, posing a significant security risk. -search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory +search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory OperationType="%%14674" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest | `windows_ad_sid_history_attribute_modified_filter`' how_to_implement: To successfully implement this search, you ned to be ingesting eventcode diff --git a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml index fc8331a2e3..2cd5768f5c 100644 --- a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml +++ b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml @@ -1,7 +1,7 @@ name: Windows Administrative Shares Accessed On Multiple Hosts id: d92f2d95-05fb-48a7-910f-4d3d61ab8655 -version: 2 -date: '2024-05-19' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk type: TTP status: production @@ -15,7 +15,7 @@ description: The following analytic detects a source computer accessing Windows a common tactic used by threat actors. If confirmed malicious, this activity could lead to unauthorized access to critical data, lateral movement, and potential compromise of multiple systems within the network. -search: ' `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$" +search: '`wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\IPC$" OR ShareName="\\\\*\\C$") | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode | where unique_targets diff --git a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml index a7d737f541..9c7bc8039c 100644 --- a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml @@ -1,7 +1,7 @@ name: Windows Admon Default Group Policy Object Modified id: 83458004-db60-4170-857d-8572f16f070b -version: 2 -date: '2024-05-28' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects modifications to the default Group P persistence, or deploy malware across multiple hosts. If confirmed malicious, such modifications could lead to widespread policy enforcement changes, unauthorized access, and potential compromise of the entire domain environment. -search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" +search: '`admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/windows_admon_group_policy_object_created.yml b/detections/endpoint/windows_admon_group_policy_object_created.yml index c09e970738..b218038cb3 100644 --- a/detections/endpoint/windows_admon_group_policy_object_created.yml +++ b/detections/endpoint/windows_admon_group_policy_object_created.yml @@ -1,7 +1,7 @@ name: Windows Admon Group Policy Object Created id: 69201633-30d9-48ef-b1b6-e680805f0582 -version: 2 -date: '2024-05-20' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects the creation of a new Group Policy O across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, significantly compromising the network's security. -search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" +search: '`admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object" | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`' diff --git a/detections/endpoint/windows_default_group_policy_object_modified.yml b/detections/endpoint/windows_default_group_policy_object_modified.yml index 712adb5d73..fcfeaca249 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified.yml @@ -1,7 +1,7 @@ name: Windows Default Group Policy Object Modified id: fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876 -version: 2 -date: '2024-05-26' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -16,7 +16,7 @@ description: The following analytic detects modifications to default Group Polic across the network. If confirmed malicious, such modifications could lead to widespread compromise, allowing attackers to maintain control and execute arbitrary code on numerous hosts. -search: ' `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber +search: '`wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN="CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*" OR ObjectDN="CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*") | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid diff --git a/detections/endpoint/windows_dnsadmins_new_member_added.yml b/detections/endpoint/windows_dnsadmins_new_member_added.yml index a4559e7d79..b63b2f15e6 100644 --- a/detections/endpoint/windows_dnsadmins_new_member_added.yml +++ b/detections/endpoint/windows_dnsadmins_new_member_added.yml @@ -1,7 +1,7 @@ name: Windows DnsAdmins New Member Added id: 27e600aa-77f8-4614-bc80-2662a67e2f48 -version: 4 -date: '2024-05-29' +version: 5 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the addition of a new member to the privileges. If confirmed malicious, this activity could allow an attacker to escalate privileges and gain control over critical domain services, posing a significant security risk. -search: ' `wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) +search: '`wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) as firstTime max(_time) as lastTime values(TargetUserName) as target_users_added values(user) as user by dest src_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dnsadmins_new_member_added_filter`' diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml index 3f2f25103c..b59e290f9a 100644 --- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml +++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml @@ -1,14 +1,14 @@ name: Windows Domain Admin Impersonation Indicator id: 10381f93-6d38-470a-9c30-d25478e3bd3f -version: 2 -date: '2024-05-12' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Windows Event Log Security 4627 description: The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges. -search: ' `wineventlog_security` EventCode=4627 LogonType=3 NOT TargetUserName IN ("*$", "SYSTEM", "DWM-*","LOCAL SERVICE","NETWORK SERVICE", "ANONYMOUS LOGON", "UMFD-*") +search: '`wineventlog_security` EventCode=4627 LogonType=3 NOT TargetUserName IN ("*$", "SYSTEM", "DWM-*","LOCAL SERVICE","NETWORK SERVICE", "ANONYMOUS LOGON", "UMFD-*") | where match(GroupMembership, "Domain Admins") | stats count by _time, TargetUserName, GroupMembership, host | lookup domain_admins username as TargetUserName OUTPUT username | fillnull value=NotDA username diff --git a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml index 631c86f244..c325c6fe42 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml @@ -1,7 +1,7 @@ name: Windows ESX Admins Group Creation Security Event id: 53b4c927-5ec4-47cd-8aed-d4b303304f87 -version: 1 -date: '2024-07-30' +version: 2 +date: '2024-09-24' author: Michael Haag, Splunk data_source: - Windows Event Log Security 4727 @@ -10,7 +10,7 @@ data_source: type: TTP status: production description: This analytic detects creation, deletion, or modification of the "ESX Admins" group in Active Directory. These events may indicate attempts to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). -search: ' `wineventlog_security` EventCode IN (4727, 4730, 4737) +search: '`wineventlog_security` EventCode IN (4727, 4730, 4737) (TargetUserName="ESX Admins" OR TargetUserName="*ESX Admins*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode TargetUserName TargetDomainName SubjectUserName SubjectDomainName Computer | rename Computer as dest diff --git a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml index 872b578c88..630d1e2ed8 100644 --- a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml @@ -1,7 +1,7 @@ name: Windows Get-AdComputer Unconstrained Delegation Discovery id: c8640777-469f-4638-ab44-c34a3233ffac -version: 3 -date: '2024-05-13' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the use of the Get-ADComputer cmdlet or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: ' `powershell` EventCode=4104 (ScriptBlockText = "*Get-ADComputer*" AND ScriptBlockText +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-ADComputer*" AND ScriptBlockText = "*TrustedForDelegation*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/windows_group_policy_object_created.yml b/detections/endpoint/windows_group_policy_object_created.yml index 16771eae70..b2ebd68aaa 100644 --- a/detections/endpoint/windows_group_policy_object_created.yml +++ b/detections/endpoint/windows_group_policy_object_created.yml @@ -1,7 +1,7 @@ name: Windows Group Policy Object Created id: 23add2a8-ea22-4fd4-8bc0-8c0b822373a1 -version: 2 -date: '2024-05-17' +version: 3 +date: '2024-09-24' author: Mauricio Velazco status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the creation of a new Group Policy O across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, leading to widespread compromise and significant operational disruption. -search: ' `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!="New +search: '`wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!="New Group Policy Object" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer | stats values(AttributeValue) as details values(SubjectUserSid) as User values(ObjectDN) as ObjectDN by ObjectGUID Computer | eval GPO_Name = mvindex(details, diff --git a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml index cb6ced8840..3232d3b615 100644 --- a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml @@ -1,7 +1,7 @@ name: Windows Large Number of Computer Service Tickets Requested id: 386ad394-c9a7-4b4f-b66f-586252de20f0 -version: 2 -date: '2024-05-11' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk type: Anomaly status: production @@ -15,7 +15,7 @@ description: The following analytic detects a high volume of Kerberos service ti or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network. -search: ' `wineventlog_security` EventCode=4769 ServiceName="*$" TargetUserName!="*$" +search: '`wineventlog_security` EventCode=4769 ServiceName="*$" TargetUserName!="*$" | bucket span=5m _time | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_large_number_of_computer_service_tickets_requested_filter`' diff --git a/detections/endpoint/windows_local_administrator_credential_stuffing.yml b/detections/endpoint/windows_local_administrator_credential_stuffing.yml index 87560c5f9e..4eb648a1b9 100644 --- a/detections/endpoint/windows_local_administrator_credential_stuffing.yml +++ b/detections/endpoint/windows_local_administrator_credential_stuffing.yml @@ -1,7 +1,7 @@ name: Windows Local Administrator Credential Stuffing id: 09555511-aca6-484a-b6ab-72cd03d73c34 version: 2 -date: '2024-05-16' +date: '2024-09-24' author: Mauricio Velazco, Splunk type: TTP status: production @@ -16,7 +16,7 @@ description: The following analytic detects attempts to authenticate using the b to privilege escalation. If confirmed malicious, this could allow the attacker to gain widespread access and control over numerous systems within the network, posing a severe security risk. -search: ' `wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator +search: '`wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode | where unique_targets > 30 | `windows_local_administrator_credential_stuffing_filter`' diff --git a/detections/endpoint/windows_multiple_account_passwords_changed.yml b/detections/endpoint/windows_multiple_account_passwords_changed.yml index a699fadee2..de1ec5efbd 100644 --- a/detections/endpoint/windows_multiple_account_passwords_changed.yml +++ b/detections/endpoint/windows_multiple_account_passwords_changed.yml @@ -1,7 +1,7 @@ name: Windows Multiple Account Passwords Changed id: faefb681-14be-4f0d-9cac-0bc0160c7280 -version: 2 -date: '2024-05-19' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4724 @@ -15,7 +15,7 @@ description: The following analytic detects instances where more than five uniqu unauthorized access or internal compromise. If confirmed malicious, this activity could lead to widespread account compromise, unauthorized access to sensitive information, and potential disruption of services. -search: ' `wineventlog_security` EventCode=4724 status=success | bucket span=10m _time +search: '`wineventlog_security` EventCode=4724 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_account_passwords_changed_filter`' diff --git a/detections/endpoint/windows_multiple_accounts_deleted.yml b/detections/endpoint/windows_multiple_accounts_deleted.yml index 9b49d44623..c9ccffb291 100644 --- a/detections/endpoint/windows_multiple_accounts_deleted.yml +++ b/detections/endpoint/windows_multiple_accounts_deleted.yml @@ -1,7 +1,7 @@ name: Windows Multiple Accounts Deleted id: 49c0d4d6-c55d-4d3a-b3d5-7709fafed70d -version: 2 -date: '2024-05-21' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4726 @@ -14,7 +14,7 @@ description: The following analytic detects the deletion of more than five uniqu is significant as it may indicate an attacker attempting to erase traces of their actions. If confirmed malicious, this could lead to unauthorized access removal, hindering incident response and forensic investigations. -search: ' `wineventlog_security` EventCode=4726 status=success | bucket span=10m _time +search: '`wineventlog_security` EventCode=4726 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_deleted_filter`' diff --git a/detections/endpoint/windows_multiple_accounts_disabled.yml b/detections/endpoint/windows_multiple_accounts_disabled.yml index 38cc7c019c..8cd703a124 100644 --- a/detections/endpoint/windows_multiple_accounts_disabled.yml +++ b/detections/endpoint/windows_multiple_accounts_disabled.yml @@ -1,7 +1,7 @@ name: Windows Multiple Accounts Disabled id: 5d93894e-befa-4429-abde-7fc541020b7b -version: 2 -date: '2024-05-12' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4725 @@ -15,7 +15,7 @@ description: The following analytic identifies instances where more than five un breaches or an external attacker's attempt to disrupt operations. If confirmed malicious, this activity could lead to widespread account lockouts, hindering user access and potentially disrupting business operations. -search: ' `wineventlog_security` EventCode=4725 status=success | bucket span=10m _time +search: '`wineventlog_security` EventCode=4725 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_disabled_filter`' diff --git a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml index 4a0d9fefbf..51dd4cc20f 100644 --- a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml @@ -1,7 +1,7 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 -date: '2024-05-17' +date: '2024-09-24' description: 'The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates @@ -24,7 +24,7 @@ references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 -search: ' `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 +search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter`' status: production @@ -64,4 +64,4 @@ tests: sourcetype: XmlWinEventLog name: True Positive Test type: TTP -version: 3 +version: 4 diff --git a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml index 2c0916a271..768d7b9907 100644 --- a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml @@ -1,7 +1,7 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4648 -date: '2024-05-17' +date: '2024-09-24' description: 'The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly @@ -25,7 +25,7 @@ references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events -search: ' `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ +search: '`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | where unique_accounts > 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter`' @@ -67,4 +67,4 @@ tests: sourcetype: XmlWinEventLog name: True Positive Test type: TTP -version: 3 +version: 4 diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml index 1ca6318c8d..206e73525f 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml @@ -1,7 +1,7 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 -date: '2024-05-26' +date: '2024-09-24' description: 'The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates @@ -23,7 +23,7 @@ references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 -search: ' `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A +search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter`' status: production @@ -63,4 +63,4 @@ tests: sourcetype: XmlWinEventLog name: True Positive Test type: TTP -version: 3 +version: 4 diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml index 596020b269..8731fe958c 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml @@ -1,7 +1,7 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 -date: '2024-05-25' +date: '2024-09-24' description: 'The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member @@ -23,7 +23,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events -search: ' `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket +search: '`wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`' @@ -67,4 +67,4 @@ tests: sourcetype: XmlWinEventLog name: True Positive Test type: TTP -version: 3 +version: 4 diff --git a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml index 8084bdfb50..596af2408a 100644 --- a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml +++ b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml @@ -1,7 +1,7 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 -date: '2024-05-28' +date: '2024-09-24' description: 'The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant @@ -25,7 +25,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events -search: ' `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket +search: '`wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter`' status: production @@ -66,4 +66,4 @@ tests: sourcetype: XmlWinEventLog name: True Positive Test type: TTP -version: 3 +version: 4 diff --git a/detections/endpoint/windows_powersploit_gpp_discovery.yml b/detections/endpoint/windows_powersploit_gpp_discovery.yml index 6fb35c4eaf..837d2724f1 100644 --- a/detections/endpoint/windows_powersploit_gpp_discovery.yml +++ b/detections/endpoint/windows_powersploit_gpp_discovery.yml @@ -1,7 +1,7 @@ name: Windows PowerSploit GPP Discovery id: 0130a0df-83a1-4647-9011-841e950ff302 -version: 2 -date: '2024-05-12' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the execution of the Get-GPPPassword potentially leading to unauthorized access. If confirmed malicious, this activity could allow an attacker to escalate privileges or move laterally within the network by exploiting exposed credentials. -search: ' `powershell` EventCode=4104 (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword) +search: '`powershell` EventCode=4104 (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powersploit_gpp_discovery_filter`' diff --git a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml index 4b9c329ff4..f91c545d97 100644 --- a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml +++ b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml @@ -1,7 +1,7 @@ name: Windows PowerView AD Access Control List Enumeration id: 39405650-c364-4e1e-a740-32a63ef042a6 -version: 2 -date: '2024-05-17' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the execution of PowerView PowerShel Directory, potentially leading to privilege escalation. If confirmed malicious, attackers could exploit these permissions to gain unauthorized access or escalate their privileges within the network. -search: ' `powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* +search: '`powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_ad_access_control_list_enumeration_filter`' diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index b3f638846a..00adb60ac8 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -1,7 +1,7 @@ name: Windows Service Created with Suspicious Service Path id: 429141be-8311-11eb-adb6-acde48001122 -version: 5 -date: '2024-05-21' +version: 6 +date: '2024-09-24' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the creation of a Windows Service wi escalate privileges, posing a severe threat to the environment. data_source: - Windows Event Log System 7045 -search: ' `wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath IN +search: '`wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath IN ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest| `security_content_ctime(firstTime)` diff --git a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml index ebdfcb4170..34ddede198 100644 --- a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml +++ b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml @@ -1,7 +1,7 @@ name: Windows Special Privileged Logon On Multiple Hosts id: 4c461f5a-c2cc-4e86-b132-c262fc9edca7 -version: 3 -date: '2024-05-24' +version: 4 +date: '2024-09-24' author: Mauricio Velazco, Splunk type: TTP status: production @@ -15,7 +15,7 @@ description: The following analytic detects a user authenticating with special p potentially leading to privilege escalation, data exfiltration, or further compromise of the environment. Security teams should adjust detection thresholds based on their specific environment. -search: ' `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN ("DWM-1","DWM-2","DWM-3","LOCAL +search: '`wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN ("DWM-1","DWM-2","DWM-3","LOCAL SERVICE","NETWORK SERVICE","SYSTEM","*$")) | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as dest values(PrivilegeList) as privileges by _time, Caller_User_Name | rename Caller_User_Name as user| where unique_targets diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml index 7a5203e123..ca85169886 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml @@ -1,7 +1,7 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 -date: '2024-05-19' +date: '2024-09-24' description: 'The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect @@ -24,7 +24,7 @@ references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 -search: ' `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 +search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts @@ -71,4 +71,4 @@ tests: sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 2 +version: 3 diff --git a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml index 458d7d8f5f..888ab11519 100644 --- a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml @@ -1,7 +1,7 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4648 -date: '2024-05-14' +date: '2024-09-24' description: 'The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma @@ -24,7 +24,7 @@ references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events -search: ' `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ +search: '`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as user by _time, Computer, Caller_User_Name | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Computer | eval upperBound=(comp_avg+comp_std*3) @@ -72,4 +72,4 @@ tests: sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 2 +version: 3 diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml index b9a9ff7198..65c56ae960 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml @@ -1,7 +1,7 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 -date: '2024-05-21' +date: '2024-09-24' description: 'The following analytic identifies a source process failing to authenticate multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625, which logs failed logon attempts, and uses statistical analysis @@ -24,7 +24,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events -search: ' `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket +search: '`wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, ProcessName, SubjectUserName, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName, @@ -74,4 +74,4 @@ tests: sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 2 +version: 3 diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml index 48afd2bdfe..5eeeb94d68 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml @@ -1,7 +1,7 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 -date: '2024-05-12' +date: '2024-09-24' description: 'The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the @@ -24,7 +24,7 @@ references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 -search: ' `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A +search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) @@ -67,4 +67,4 @@ tests: sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 2 +version: 3 diff --git a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml index 8c07be7abd..7e10545ce3 100644 --- a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml +++ b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml @@ -1,7 +1,7 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 -date: '2024-05-18' +date: '2024-09-24' description: 'The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 @@ -24,7 +24,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events -search: ' `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket +search: '`wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress, Computer | eval upperBound=(comp_avg+comp_std*3) @@ -68,4 +68,4 @@ tests: sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 2 +version: 3 From 5b75e85ef87d699509f052dab4bb965bd8f40661 Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Tue, 24 Sep 2024 16:53:25 -0700 Subject: [PATCH 2/5] second pass at fixing whitespace and related update fields --- .../okta_multi_factor_authentication_disabled.yml | 6 +++--- .../okta_multiple_users_failing_to_authenticate_from_ip.yml | 6 +++--- detections/application/okta_new_api_token_created.yml | 6 +++--- .../application/okta_new_device_enrolled_on_account.yml | 6 +++--- .../kubernetes_anomalous_inbound_outbound_network_io.yml | 6 +++--- ...netes_anomalous_inbound_to_outbound_network_io_ratio.yml | 6 +++--- .../kubernetes_previously_unseen_container_image_name.yml | 6 +++--- detections/cloud/kubernetes_previously_unseen_process.yml | 6 +++--- .../cloud/kubernetes_process_running_from_new_path.yml | 6 +++--- ...bernetes_process_with_anomalous_resource_utilisation.yml | 6 +++--- .../kubernetes_process_with_resource_ratio_anomalies.yml | 6 +++--- .../cloud/kubernetes_shell_running_on_worker_node.yml | 6 +++--- ...netes_shell_running_on_worker_node_with_cpu_activity.yml | 6 +++--- .../cloud/o365_application_available_to_other_tenants.yml | 6 +++--- detections/cloud/o365_cross_tenant_access_change.yml | 6 +++--- detections/cloud/o365_dlp_rule_triggered.yml | 6 +++--- detections/cloud/o365_external_guest_user_invited.yml | 6 +++--- detections/cloud/o365_external_identity_policy_changed.yml | 6 +++--- .../o365_sharepoint_allowed_domains_policy_changed.yml | 6 +++--- .../aws_cloud_provisioning_from_previously_unseen_city.yml | 6 +++--- ...ws_cloud_provisioning_from_previously_unseen_country.yml | 6 +++--- ...cloud_provisioning_from_previously_unseen_ip_address.yml | 6 +++--- .../kubernetes_aws_detect_sensitive_role_access.yml | 6 +++--- .../kubernetes_azure_detect_sensitive_role_access.yml | 6 +++--- detections/endpoint/lolbas_with_network_traffic.yml | 6 +++--- ...cious_powershell_process_with_obfuscation_techniques.yml | 6 +++--- .../endpoint/windows_dism_install_powershell_web_access.yml | 6 +++--- .../windows_rapid_authentication_on_multiple_hosts.yml | 6 +++--- detections/network/detect_windows_dns_sigred_via_zeek.yml | 6 +++--- 29 files changed, 87 insertions(+), 87 deletions(-) diff --git a/detections/application/okta_multi_factor_authentication_disabled.yml b/detections/application/okta_multi_factor_authentication_disabled.yml index 478f4dbbac..7f271e7198 100644 --- a/detections/application/okta_multi_factor_authentication_disabled.yml +++ b/detections/application/okta_multi_factor_authentication_disabled.yml @@ -1,7 +1,7 @@ name: Okta Multi-Factor Authentication Disabled id: 7c0348ce-bdf9-45f6-8a57-c18b5976f00a -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: - Okta @@ -15,7 +15,7 @@ description: The following analytic identifies an attempt to disable multi-facto could enable attackers to bypass additional security layers, potentially leading to unauthorized access to sensitive information and prolonged undetected presence in the network. -search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime, +search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where sourcetype="OktaIM2:log" All_Changes.object_category=User AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src diff --git a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml index 4f1af7ca0b..81455e311b 100644 --- a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: Okta Multiple Users Failing To Authenticate From Ip id: de365ffa-42f5-46b5-b43f-fa72290b8218 -version: 2 -date: '2024-05-28' +version: 3 +date: '2024-09-24' author: Michael Haag, Mauricio Velazco, Splunk data_source: - Okta @@ -15,7 +15,7 @@ description: The following analytic identifies instances where more than 10 uniq behavior suggests an external entity is attempting to compromise multiple user accounts, potentially leading to unauthorized access to organizational resources and data breaches. -search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime, +search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) as signature values(Authentication.user) as user values(Authentication.app) as app values(Authentication.authentication_method) as authentication_method from datamodel=Authentication diff --git a/detections/application/okta_new_api_token_created.yml b/detections/application/okta_new_api_token_created.yml index 4c4200cccb..6bd87dae20 100644 --- a/detections/application/okta_new_api_token_created.yml +++ b/detections/application/okta_new_api_token_created.yml @@ -1,7 +1,7 @@ name: Okta New API Token Created id: c3d22720-35d3-4da4-bd0a-740d37192bd4 -version: 3 -date: '2024-05-11' +version: 4 +date: '2024-09-24' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the creation of a new API token with environment. data_source: - Okta -search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime, +search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category diff --git a/detections/application/okta_new_device_enrolled_on_account.yml b/detections/application/okta_new_device_enrolled_on_account.yml index 76288f15e1..91bacfb731 100644 --- a/detections/application/okta_new_device_enrolled_on_account.yml +++ b/detections/application/okta_new_device_enrolled_on_account.yml @@ -1,7 +1,7 @@ name: Okta New Device Enrolled on Account id: bb27cbce-d4de-432c-932f-2e206e9130fb -version: 3 -date: '2024-05-24' +version: 4 +date: '2024-09-24' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic identifies when a new device is enrolled on and mitigating unauthorized access attempts. data_source: - Okta -search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime, +search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name("All_Changes")` diff --git a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml index 36e40b25e4..41cf89bcfe 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml @@ -1,7 +1,7 @@ name: Kubernetes Anomalous Inbound Outbound Network IO id: 4f3b0c97-657e-4547-a89a-9a50c656e3cd -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-09-24' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -63,7 +63,7 @@ how_to_implement: 'To implement this detection, follow these steps: * Leave all other settings at their default values. - * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' + * Run the Search Baseline Of Kubernetes Container Network IO Ratio' known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart diff --git a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml index a115c50b9f..660cb4ac26 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml @@ -1,7 +1,7 @@ name: Kubernetes Anomalous Inbound to Outbound Network IO Ratio id: 9d8f6e3f-39df-46d8-a9d4-96173edc501f -version: 2 -date: '2024-05-26' +version: 3 +date: '2024-09-24' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -67,7 +67,7 @@ how_to_implement: 'To implement this detection, follow these steps: * Leave all other settings at their default values. - * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' + * Run the Search Baseline Of Kubernetes Container Network IO Ratio' known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart diff --git a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml index 893fa07fce..27483d2891 100644 --- a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml +++ b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml @@ -1,7 +1,7 @@ name: Kubernetes Previously Unseen Container Image Name id: fea515a4-b1d8-4cd6-80d6-e0d71397b891 -version: 2 -date: '2024-05-27' +version: 3 +date: '2024-09-24' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -54,7 +54,7 @@ how_to_implement: 'To implement this detection, follow these steps: * Leave all other settings at their default values. - * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' + * Run the Search Baseline Of Kubernetes Container Network IO Ratio' known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart diff --git a/detections/cloud/kubernetes_previously_unseen_process.yml b/detections/cloud/kubernetes_previously_unseen_process.yml index 605ca069bb..5c5c73f4be 100644 --- a/detections/cloud/kubernetes_previously_unseen_process.yml +++ b/detections/cloud/kubernetes_previously_unseen_process.yml @@ -1,7 +1,7 @@ name: Kubernetes Previously Unseen Process id: c8119b2f-d7f7-40be-940a-1c582870e8e2 -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-09-24' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -53,7 +53,7 @@ how_to_implement: 'To implement this detection, follow these steps: * Leave all other settings at their default values. - * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' + * Run the Search Baseline Of Kubernetes Container Network IO Ratio' known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart diff --git a/detections/cloud/kubernetes_process_running_from_new_path.yml b/detections/cloud/kubernetes_process_running_from_new_path.yml index 41b969d36b..17bf0230ed 100644 --- a/detections/cloud/kubernetes_process_running_from_new_path.yml +++ b/detections/cloud/kubernetes_process_running_from_new_path.yml @@ -1,7 +1,7 @@ name: Kubernetes Process Running From New Path id: 454076fb-0e9e-4adf-b93a-da132621c5e6 -version: 2 -date: '2024-05-27' +version: 3 +date: '2024-09-24' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -54,7 +54,7 @@ how_to_implement: 'To implement this detection, follow these steps: * Leave all other settings at their default values. - * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' + * Run the Search Baseline Of Kubernetes Container Network IO Ratio' known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart diff --git a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml index 44d9d3dce9..5ca1eb40fc 100644 --- a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml +++ b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml @@ -1,7 +1,7 @@ name: Kubernetes Process with Anomalous Resource Utilisation id: 25ca9594-7a0d-4a95-a5e5-3228d7398ec8 -version: 2 -date: '2024-05-27' +version: 3 +date: '2024-09-24' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -62,7 +62,7 @@ how_to_implement: 'To implement this detection, follow these steps: * Leave all other settings at their default values. - * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' + * Run the Search Baseline Of Kubernetes Container Network IO Ratio' known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart diff --git a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml index 870ba66146..bbae2e0b0f 100644 --- a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml +++ b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml @@ -1,7 +1,7 @@ name: Kubernetes Process with Resource Ratio Anomalies id: 0d42b295-0f1f-4183-b75e-377975f47c65 -version: 2 -date: '2024-05-30' +version: 3 +date: '2024-09-24' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -61,7 +61,7 @@ how_to_implement: 'To implement this detection, follow these steps: * Leave all other settings at their default values. - * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' + * Run the Search Baseline Of Kubernetes Container Network IO Ratio' known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node.yml b/detections/cloud/kubernetes_shell_running_on_worker_node.yml index 53ba59cfd2..1e391eed9a 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node.yml @@ -1,7 +1,7 @@ name: Kubernetes Shell Running on Worker Node id: efebf0c4-dcf4-496f-85a2-5ab7ad8fa876 -version: 2 -date: '2024-05-25' +version: 3 +date: '2024-09-24' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -51,7 +51,7 @@ how_to_implement: 'To implement this detection, follow these steps: * Leave all other settings at their default values. - * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' + * Run the Search Baseline Of Kubernetes Container Network IO Ratio' known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart/tree/main diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml index 7440e985c8..28efa94614 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml @@ -1,7 +1,7 @@ name: Kubernetes Shell Running on Worker Node with CPU Activity id: cc1448e3-cc7a-4518-bc9f-2fa48f61a22b -version: 2 -date: '2024-05-11' +version: 3 +date: '2024-09-24' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -52,7 +52,7 @@ how_to_implement: 'To implement this detection, follow these steps: * Leave all other settings at their default values. - * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' + * Run the Search Baseline Of Kubernetes Container Network IO Ratio' known_false_positives: unknown references: - https://github.com/signalfx/splunk-otel-collector-chart/tree/main diff --git a/detections/cloud/o365_application_available_to_other_tenants.yml b/detections/cloud/o365_application_available_to_other_tenants.yml index afe0f18efd..4299ba60ea 100644 --- a/detections/cloud/o365_application_available_to_other_tenants.yml +++ b/detections/cloud/o365_application_available_to_other_tenants.yml @@ -1,14 +1,14 @@ name: O365 Application Available To Other Tenants id: 942548a3-0273-47a4-8dbd-e5202437395c -version: 1 -date: '2024-04-11' +version: 2 +date: '2024-09-24' author: Steven Dick status: production type: TTP description: The following analytic identifies the configuration of Azure Active Directory Applications in a manner that allows authentication from external tenants or personal accounts. This configuration can lead to inappropriate or malicious access of any data or capabilities the application is allowed to access. This detection leverages the O365 Universal Audit Log data source. data_source: - Office 365 Universal Audit Log -search: > +search: >- `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add application.","Update application.") ModifiedProperties{}.Name=AvailableToOtherTenants | eval result = case(match(mvindex('ModifiedProperties{}.NewValue',mvfind('ModifiedProperties{}.Name',"AvailableToOtherTenants")),"false"),"removed",true(),"added"), object_name=mvindex('Target{}.ID', 3), signature=Operation, object_attrs = "AvailableToOtherTenants", user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) | search result = "added" diff --git a/detections/cloud/o365_cross_tenant_access_change.yml b/detections/cloud/o365_cross_tenant_access_change.yml index 6f6cb2f0e1..a37e15202a 100644 --- a/detections/cloud/o365_cross_tenant_access_change.yml +++ b/detections/cloud/o365_cross_tenant_access_change.yml @@ -1,14 +1,14 @@ name: O365 Cross-Tenant Access Change id: 7c0fa490-12b0-4d0b-b9f5-e101d1e0e06f -version: 1 -date: '2024-04-11' +version: 2 +date: '2024-09-24' author: Steven Dick status: production type: TTP description: The following analytic identifies when cross-tenant access/synchronization policies are changed in an Azure tenant. Adversaries have been observed altering victim cross-tenant policies as a method of lateral movement or maintaining persistent access to compromised environments. These policies should be considered sensitive and monitored for changes and/or loose configuration. data_source: - Office 365 Universal Audit Log -search: > +search: >- `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add a partner to cross-tenant access setting.","Delete partner specific cross-tenant access setting.") | eval user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) | stats values(Workload) as category, values(ClientIP) as src, values(ModifiedProperties{}.Name) as object_name, values(ModifiedProperties{}.NewValue) as object_attrs, count, min(_time) as firstTime, max(_time) as lastTime by Id,user,Operation diff --git a/detections/cloud/o365_dlp_rule_triggered.yml b/detections/cloud/o365_dlp_rule_triggered.yml index b41bb2c6c1..842be25ee5 100644 --- a/detections/cloud/o365_dlp_rule_triggered.yml +++ b/detections/cloud/o365_dlp_rule_triggered.yml @@ -1,14 +1,14 @@ name: O365 DLP Rule Triggered id: 63a8a537-36fd-4aac-a3ea-1a96afd2c871 -version: 1 -date: '2024-04-01' +version: 2 +date: '2024-09-24' author: Steven Dick status: production type: Anomaly description: The following analytic detects when Microsoft Office 365 Data Loss Prevention (DLP) rules have been triggered. DLP rules can be configured for any number of security, regulatory, or business compliance reasons, as such this analytic will only be as accurate as the upstream DLP configuration. Detections from this analytic should be evaluated thoroughly to determine what, if any, security relevance the underlying DLP events contain. data_source: - O365 Universal Audit Log -search: > +search: >- `o365_management_activity` Operation=DLPRuleMatch | eval recipient = 'ExchangeMetaData.To{}', signature_id = 'ExchangeMetaData.UniqueID', signature = 'PolicyDetails{}.Rules{}.RuleName' , src_user = UserId, reason ='PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.SensitiveInformationTypeName', result='PolicyDetails{}.Rules{}.Actions{}', file_name=case(NOT match('PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location',"Message Body"),'PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location') | stats min(_time) as firstTime max(_time) as lastTime values(signature) as signature values(file_name) as file_name values(ExchangeMetaData.Subject) AS subject values(Workload) as app values(result) as result by src_user,recipient,signature_id,reason diff --git a/detections/cloud/o365_external_guest_user_invited.yml b/detections/cloud/o365_external_guest_user_invited.yml index a00581e3d9..97748a260c 100644 --- a/detections/cloud/o365_external_guest_user_invited.yml +++ b/detections/cloud/o365_external_guest_user_invited.yml @@ -1,14 +1,14 @@ name: O365 External Guest User Invited id: 8c6d52ec-d5f2-4b2f-8ba1-f32c047a71fa -version: 1 -date: '2024-04-11' +version: 2 +date: '2024-09-24' author: Steven Dick status: production type: TTP description: The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`. This detection leverages the Universal Audit Log (UAL)/o365:management:activity sourcetype as a detection data source. data_source: - Office 365 Universal Audit Log -search: > +search: >- `o365_management_activity` Workload=AzureActiveDirectory AND Operation="Add user*" AND ModifiedProperties{}.NewValue="[*Guest*]" AND ModifiedProperties{}.NewValue="[*Invitation*]" | eval user = (mvindex('ModifiedProperties{}.NewValue',5)), src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) | rex field=user "(?[\\w\\.-]+@[\\w-]+\\.[\\w-]{2,4})" diff --git a/detections/cloud/o365_external_identity_policy_changed.yml b/detections/cloud/o365_external_identity_policy_changed.yml index a9dbb3c6f0..1e25e96c5e 100644 --- a/detections/cloud/o365_external_identity_policy_changed.yml +++ b/detections/cloud/o365_external_identity_policy_changed.yml @@ -1,14 +1,14 @@ name: O365 External Identity Policy Changed id: 29af1725-7a72-4d2d-8a18-e697e79a62d3 -version: 1 -date: '2024-04-11' +version: 2 +date: '2024-09-24' author: Steven Dick status: production type: TTP description: The following analytic identifies when changes are made to the external guest policies within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. This detection also attempts to highlight what may have changed. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`. data_source: - Office 365 Universal Audit Log -search: > +search: >- `o365_management_activity` Workload=AzureActiveDirectory Operation="Update policy." Target{}.ID="B2BManagementPolicy" | eval object_attrs = mvindex('ModifiedProperties{}.NewValue',0), object_attrs_old = mvindex('ModifiedProperties{}.OldValue',0), object_name = mvindex('Target{}.ID',3), signature=Operation, user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) | spath input=object_attrs_old output=B2BOld path={} diff --git a/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml b/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml index e150b2ab53..360385d549 100644 --- a/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml +++ b/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml @@ -1,7 +1,7 @@ name: O365 SharePoint Allowed Domains Policy Changed id: b0cc6fa8-39b1-49ac-a4fe-f2f2a668e06c -version: 1 -date: '2024-04-01' +version: 2 +date: '2024-09-24' author: Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: > | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_sharepoint_allowed_domains_policy_changed_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: Business approved changes by known administrators. references: - https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml index 0d5eb040d0..8808ce6cc9 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml @@ -1,14 +1,14 @@ name: AWS Cloud Provisioning From Previously Unseen City id: 344a1778-0b25-490c-adb1-de8beddf59cd -version: 2 -date: '2024-08-16' +version: 3 +date: '2024-09-24' author: David Dorsey, Splunk status: deprecated type: Anomaly description: 'This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the - latest Change Datamodel. ' + latest Change Datamodel.' data_source: [] search: '`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml index 364b9ab482..ce54603fd7 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml @@ -1,14 +1,14 @@ name: AWS Cloud Provisioning From Previously Unseen Country id: ceb8d3d8-06cb-49eb-beaf-829526e33ff0 -version: 2 -date: '2024-08-15' +version: 3 +date: '2024-09-24' author: David Dorsey, Splunk status: deprecated type: Anomaly description: 'This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use - the latest Change Datamodel. ' + the latest Change Datamodel.' data_source: [] search: '`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | diff --git a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml index fd2b906142..6305f54912 100644 --- a/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml +++ b/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml @@ -1,14 +1,14 @@ name: AWS Cloud Provisioning From Previously Unseen IP Address id: 42e15012-ac14-4801-94f4-f1acbe64880b -version: 2 -date: '2024-08-15' +version: 3 +date: '2024-09-24' author: David Dorsey, Splunk status: deprecated type: Anomaly description: 'This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use - the latest Change Datamodel. ' + the latest Change Datamodel.' data_source: [] search: '`cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) diff --git a/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml index 7d39a1e05b..ce7746332b 100644 --- a/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml +++ b/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml @@ -1,7 +1,7 @@ name: Kubernetes AWS detect sensitive role access id: b6013a7b-85e0-4a45-b051-10b252d69569 -version: 2 -date: '2024-08-15' +version: 3 +date: '2024-09-24' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -15,7 +15,7 @@ search: '`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrole how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. known_false_positives: 'Sensitive role resource access is necessary for cluster operation, - however source IP, namespace and user group may indicate possible malicious use. ' + however source IP, namespace and user group may indicate possible malicious use.' references: [] tags: analytic_story: diff --git a/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml index 6534ebeab7..57bc8af26b 100644 --- a/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml +++ b/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml @@ -1,7 +1,7 @@ name: Kubernetes Azure detect sensitive role access id: f27349e5-1641-4f6a-9e68-30402be0ad4c -version: 2 -date: '2024-08-15' +version: 3 +date: '2024-09-24' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -15,7 +15,7 @@ search: '`kubernetes_azure` category=kube-audit | spath input=properties.log| se how_to_implement: You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics known_false_positives: 'Sensitive role resource access is necessary for cluster operation, - however source IP, namespace and user group may indicate possible malicious use. ' + however source IP, namespace and user group may indicate possible malicious use.' references: [] tags: analytic_story: diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index d60a07c41e..76d5bb52d3 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -1,7 +1,7 @@ name: LOLBAS With Network Traffic id: 2820f032-19eb-497e-8642-25b04a880359 -version: 2 -date: '2024-05-11' +version: 3 +date: '2024-09-24' author: Steven Dick status: production type: TTP @@ -38,7 +38,7 @@ how_to_implement: To successfully implement this detection you must ingest event of this type this data type. known_false_positives: 'Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit - internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") ' + internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1")' references: - https://lolbas-project.github.io/# - https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/ diff --git a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml index 38e345f8f3..c84e69682d 100644 --- a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml +++ b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml @@ -1,7 +1,7 @@ name: Malicious PowerShell Process With Obfuscation Techniques id: cde75cf6-3c7a-4dd6-af01-27cdb4511fd4 -version: 6 -date: '2024-05-18' +version: 7 +date: '2024-09-24' author: David Dorsey, Splunk status: production type: TTP @@ -23,7 +23,7 @@ search: "| tstats `security_content_summariesonly` count values(Processes.proces `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,\"\ `\"))-1) + (mvcount(split(process, \"^\"))-1) + (mvcount(split(process, \"'\"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation - > 10 " + > 10" how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/windows_dism_install_powershell_web_access.yml b/detections/endpoint/windows_dism_install_powershell_web_access.yml index a8d8e8c986..25b873a0d4 100644 --- a/detections/endpoint/windows_dism_install_powershell_web_access.yml +++ b/detections/endpoint/windows_dism_install_powershell_web_access.yml @@ -1,7 +1,7 @@ name: Windows DISM Install PowerShell Web Access id: fa6142a7-c364-4d11-9954-895dd9efb2d4 -version: 1 -date: '2024-09-03' +version: 2 +date: '2024-09-24' author: Michael Haag, Splunk data_sources: - Windows Event Log Security 4688 @@ -9,7 +9,7 @@ data_sources: type: TTP status: production description: The following analytic detects the installation of PowerShell Web Access using the Deployment Image Servicing and Management (DISM) tool. It leverages Sysmon Event ID 1 to identify the execution of `dism.exe` with specific parameters related to enabling the WindowsPowerShellWebAccess feature. This activity is significant because enabling PowerShell Web Access can facilitate remote execution of PowerShell commands, potentially allowing an attacker to gain unauthorized access to systems and networks. If confirmed malicious, this action could lead to further exploitation and compromise of the affected system. -search: ' | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe (Processes.process="*WindowsPowerShellWebAccess*" AND Processes.process="*/online*" AND Processes.process="*/enable-feature*") diff --git a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml index 745a615e16..677e24ead8 100644 --- a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml +++ b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml @@ -1,7 +1,7 @@ name: Windows Rapid Authentication On Multiple Hosts id: 62606c77-d53d-4182-9371-b02cdbbbcef7 -version: 2 -date: '2024-05-16' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk type: TTP status: production @@ -14,7 +14,7 @@ description: The following analytic detects a source computer authenticating to movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network. -search: ' `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS +search: '`wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS LOGON" TargetUserName!="*$" | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_rapid_authentication_on_multiple_hosts_filter`' diff --git a/detections/network/detect_windows_dns_sigred_via_zeek.yml b/detections/network/detect_windows_dns_sigred_via_zeek.yml index 1290d1c7be..68417ddda1 100644 --- a/detections/network/detect_windows_dns_sigred_via_zeek.yml +++ b/detections/network/detect_windows_dns_sigred_via_zeek.yml @@ -1,7 +1,7 @@ name: Detect Windows DNS SIGRed via Zeek id: c5c622e4-d073-11ea-87d0-0242ac130003 -version: 3 -date: '2024-08-19' +version: 4 +date: '2024-09-24' author: Shannon Davis, Splunk status: experimental type: TTP @@ -13,7 +13,7 @@ search: '| tstats `security_content_summariesonly` count from datamodel=Network_ | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id - | where count>1 | fields - count ' + | where count>1 | fields - count' how_to_implement: You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The From 8b675ad971b5d4c4518ba360d24d568c40379cfc Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Tue, 24 Sep 2024 17:04:43 -0700 Subject: [PATCH 3/5] More detections have been updated. there are still a few with extra whitespace that must be taken care of --- .../cloud/o365_multiple_mailboxes_accessed_via_api.yml | 7 +++---- detections/cloud/o365_privileged_role_assigned.yml | 6 +++--- .../o365_privileged_role_assigned_to_service_principal.yml | 6 +++--- .../kubernetes_gcp_detect_sensitive_role_access.yml | 6 +++--- .../deprecated/windows_connhost_exe_started_forcefully.yml | 6 +++--- .../endpoint/add_or_set_windows_defender_exclusion.yml | 7 +++---- detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml | 7 +++---- detections/endpoint/eventvwr_uac_bypass.yml | 7 +++---- .../executables_or_script_creation_in_suspicious_path.yml | 7 +++---- detections/endpoint/fodhelper_uac_bypass.yml | 7 +++---- detections/endpoint/suspicious_process_file_path.yml | 7 +++---- .../windows_access_token_manipulation_sedebugprivilege.yml | 7 +++---- .../endpoint/windows_defender_exclusion_registry_entry.yml | 7 +++---- .../windows_local_administrator_credential_stuffing.yml | 5 ++--- ...inevent_windows_task_scheduler_event_action_started.yml | 7 +++---- 15 files changed, 44 insertions(+), 55 deletions(-) diff --git a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml index 1fe3468af4..f437a3129a 100644 --- a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml +++ b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml @@ -1,7 +1,7 @@ name: O365 Multiple Mailboxes Accessed via API id: 7cd853e9-d370-412f-965d-a2bcff2a2908 -version: 2 -date: '2024-05-16' +version: 3 +date: '2024-09-24' author: Mauricio Velazco, Splunk data_source: - O365 MailItemsAccessed @@ -67,7 +67,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_privileged_role_assigned.yml b/detections/cloud/o365_privileged_role_assigned.yml index f5f626d370..566d96451f 100644 --- a/detections/cloud/o365_privileged_role_assigned.yml +++ b/detections/cloud/o365_privileged_role_assigned.yml @@ -1,14 +1,14 @@ name: O365 Privileged Role Assigned id: db435700-4ddc-4c23-892e-49e7525d7d39 -version: 1 -date: '2024-04-11' +version: 2 +date: '2024-09-24' author: Steven Dick status: production type: TTP description: The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. This detection leverages the O365 Universal Audit Log data source. data_source: - Office 365 Universal Audit Log -search: > +search: >- `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.") | eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2) | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature diff --git a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml index ebbe154331..4585ff278c 100644 --- a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml @@ -1,14 +1,14 @@ name: O365 Privileged Role Assigned To Service Principal id: 80f3fc1b-705f-4080-bf08-f61bf013b900 -version: 1 -date: '2024-04-11' +version: 2 +date: '2024-09-24' author: Steven Dick status: production type: TTP description: The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. This detection leverages the O365 Universal Audit Log data source. data_source: - Office 365 Universal Audit Log -search: > +search: >- `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.") | eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2) | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature diff --git a/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml b/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml index dde0aacc73..1d754390a7 100644 --- a/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml +++ b/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml @@ -1,7 +1,7 @@ name: Kubernetes GCP detect sensitive role access id: a46923f6-36b9-4806-a681-31f314907c30 -version: 2 -date: '2024-08-15' +version: 3 +date: '2024-09-24' author: Rod Soto, Splunk status: deprecated type: Hunting @@ -16,7 +16,7 @@ how_to_implement: You must install splunk add on for GCP. This search works with messaging servicelogs. known_false_positives: 'Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious - use. ' + use.' references: [] tags: analytic_story: diff --git a/detections/deprecated/windows_connhost_exe_started_forcefully.yml b/detections/deprecated/windows_connhost_exe_started_forcefully.yml index 8f3fcab9fe..1af0aea67d 100644 --- a/detections/deprecated/windows_connhost_exe_started_forcefully.yml +++ b/detections/deprecated/windows_connhost_exe_started_forcefully.yml @@ -1,7 +1,7 @@ name: Windows connhost exe started forcefully id: c114aaca-68ee-41c2-ad8c-32bf21db8769 -version: 2 -date: '2024-08-15' +version: 3 +date: '2024-09-24' author: Rod Soto, Jose Hernandez, Splunk status: deprecated type: TTP @@ -9,7 +9,7 @@ description: 'The search looks for the Console Window Host process (connhost.exe executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized - this is not specific to Ryuk. ' + this is not specific to Ryuk.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index bdcb476131..c155da3316 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -1,7 +1,7 @@ name: Add or Set Windows Defender Exclusion id: 773b66fe-4dd9-11ec-8289-acde48001122 -version: 2 -date: '2024-05-29' +version: 3 +date: '2024-09-24' author: Teoderick Contreras, Splunk status: production type: TTP @@ -86,7 +86,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index 92fe898687..e35523fe83 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -1,7 +1,7 @@ name: CMLUA Or CMSTPLUA UAC Bypass id: f87b5062-b405-11eb-a889-acde48001122 -version: 2 -date: '2024-05-05' +version: 3 +date: '2024-09-24' author: Teoderick Contreras, Splunk status: production type: TTP @@ -64,7 +64,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/eventvwr_uac_bypass.yml b/detections/endpoint/eventvwr_uac_bypass.yml index 4e28791c3c..6f05392112 100644 --- a/detections/endpoint/eventvwr_uac_bypass.yml +++ b/detections/endpoint/eventvwr_uac_bypass.yml @@ -1,7 +1,7 @@ name: Eventvwr UAC Bypass id: 9cf8fe08-7ad8-11eb-9819-acde48001122 -version: 4 -date: '2024-05-26' +version: 5 +date: '2024-09-24' author: Steven Dick, Michael Haag, Splunk status: production type: TTP @@ -93,7 +93,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 09e2f24d47..3e4abe03ca 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 2 -date: '2024-05-21' +version: 3 +date: '2024-09-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -108,7 +108,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 8b21b747d4..bedd7f6287 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -1,7 +1,7 @@ name: FodHelper UAC Bypass id: 909f8fd8-7ac8-11eb-a1f3-acde48001122 -version: 3 -date: '2024-05-15' +version: 4 +date: '2024-09-24' author: Michael Haag, Splunk status: production type: TTP @@ -84,7 +84,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index efdb4fe588..3d5191e24c 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -1,7 +1,7 @@ name: Suspicious Process File Path id: 9be25988-ad82-11eb-a14f-acde48001122 -version: 2 -date: '2024-05-12' +version: 3 +date: '2024-09-24' author: Teoderick Contreras, Splunk status: production type: TTP @@ -115,7 +115,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index ff1fe33c90..e3f506bda4 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -1,7 +1,7 @@ name: Windows Access Token Manipulation SeDebugPrivilege id: 6ece9ed0-5f92-4315-889d-48560472b188 -version: 2 -date: '2024-05-20' +version: 3 +date: '2024-09-24' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -73,8 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index c8dd16f139..0caa33d2ad 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Defender Exclusion Registry Entry id: 13395a44-4dd9-11ec-9df7-acde48001122 -version: 4 -date: '2024-05-21' +version: 5 +date: '2024-09-24' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP @@ -71,7 +71,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_local_administrator_credential_stuffing.yml b/detections/endpoint/windows_local_administrator_credential_stuffing.yml index 4eb648a1b9..608cf6dd76 100644 --- a/detections/endpoint/windows_local_administrator_credential_stuffing.yml +++ b/detections/endpoint/windows_local_administrator_credential_stuffing.yml @@ -1,6 +1,6 @@ name: Windows Local Administrator Credential Stuffing id: 09555511-aca6-484a-b6ab-72cd03d73c34 -version: 2 +version: 3 date: '2024-09-24' author: Mauricio Velazco, Splunk type: TTP @@ -69,7 +69,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index df5bc7bc98..a4acc42715 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -1,7 +1,7 @@ name: WinEvent Windows Task Scheduler Event Action Started id: b3632472-310b-11ec-9aab-acde48001122 -version: 3 -date: '2024-05-20' +version: 4 +date: '2024-09-24' author: Michael Haag, Splunk status: production type: Hunting @@ -74,7 +74,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog From 4cf943ffa487e05dd1abc9b2aafd34f59206b24d Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Tue, 24 Sep 2024 21:46:38 -0700 Subject: [PATCH 4/5] Final round of fixes to fields with extra newlines with version and date bumps. --- baselines/baseline_of_kubernetes_container_network_io.yml | 6 +++--- .../baseline_of_kubernetes_container_network_io_ratio.yml | 6 +++--- .../baseline_of_kubernetes_process_resource_ratio.yml | 6 +++--- .../o365_sharepoint_allowed_domains_policy_changed.yml | 4 ++-- investigations/get_dns_traffic_ratio.yml | 6 +++--- .../investigate_aws_user_activities_by_user_field.yml | 6 +++--- investigations/investigate_pass_the_ticket_attempts.yml | 6 +++--- ...estigate_successful_remote_desktop_authentications.yml | 6 +++--- investigations/investigate_web_posts_from_src.yml | 6 +++--- stories/aws_iam_privilege_escalation.yml | 6 +++--- stories/azure_active_directory_persistence.yml | 7 +++---- stories/collection_and_staging.yml | 6 +++--- stories/deprecated/common_phishing_frameworks.yml | 6 +++--- stories/deprecated/lateral_movement.yml | 6 +++--- stories/deprecated/monitor_for_unauthorized_software.yml | 8 ++++---- stories/emotet_malware_dhs_report_ta18_201a.yml | 6 +++--- stories/ivanti_epm_vulnerabilities.yml | 8 ++++---- stories/spring4shell_cve_2022_22965.yml | 8 +++----- stories/suspicious_aws_login_activities.yml | 6 +++--- stories/suspicious_cloud_authentication_activities.yml | 6 +++--- stories/suspicious_regsvcs_regasm_activity.yml | 6 +++--- stories/windows_defense_evasion_tactics.yml | 6 +++--- 22 files changed, 67 insertions(+), 70 deletions(-) diff --git a/baselines/baseline_of_kubernetes_container_network_io.yml b/baselines/baseline_of_kubernetes_container_network_io.yml index c1a0c38d96..16d5674e7c 100644 --- a/baselines/baseline_of_kubernetes_container_network_io.yml +++ b/baselines/baseline_of_kubernetes_container_network_io.yml @@ -1,7 +1,7 @@ name: Baseline Of Kubernetes Container Network IO id: 6edaca1d-d436-42d0-8df0-6895d3bf5b70 -version: 1 -date: '2023-12-19' +version: 4 +date: '2024-09-24' author: Matthew Moore, Splunk type: Baseline datamodel: [] @@ -15,7 +15,7 @@ search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8 | stats avg(eval(if(direction="transmit", io,null()))) as avg_outbound_network_io avg(eval(if(direction="receive", io,null()))) as avg_inbound_network_io stdev(eval(if(direction="transmit", io,null()))) as stdev_outbound_network_io stdev(eval(if(direction="receive", io,null()))) as stdev_inbound_network_io count latest(_time) as last_seen by key - | outputlookup k8s_container_network_io_baseline ' + | outputlookup k8s_container_network_io_baseline' how_to_implement: 'To implement this detection, follow these steps: 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process receiver in the OTEL configuration. diff --git a/baselines/baseline_of_kubernetes_container_network_io_ratio.yml b/baselines/baseline_of_kubernetes_container_network_io_ratio.yml index 58081ab168..82964ddaf8 100644 --- a/baselines/baseline_of_kubernetes_container_network_io_ratio.yml +++ b/baselines/baseline_of_kubernetes_container_network_io_ratio.yml @@ -1,7 +1,7 @@ name: Baseline Of Kubernetes Container Network IO Ratio id: f395003b-6389-4e14-89bf-ac4dbea215bd -version: 1 -date: '2023-12-19' +version: 2 +date: '2024-09-24' author: Matthew Moore, Splunk type: Baseline datamodel: [] @@ -18,7 +18,7 @@ search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8 | eval outbound:inbound = outbound_network_io/inbound_network_io | stats avg(*:*) as avg_*:* stdev(*:*) as stdev_*:* count latest(_time) as last_seen by key - | outputlookup k8s_container_network_io_ratio_baseline ' + | outputlookup k8s_container_network_io_ratio_baseline' how_to_implement: 'To implement this detection, follow these steps: 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process receiver in the OTEL configuration. diff --git a/baselines/baseline_of_kubernetes_process_resource_ratio.yml b/baselines/baseline_of_kubernetes_process_resource_ratio.yml index 5692782e3c..dbfb5abe47 100644 --- a/baselines/baseline_of_kubernetes_process_resource_ratio.yml +++ b/baselines/baseline_of_kubernetes_process_resource_ratio.yml @@ -1,7 +1,7 @@ name: Baseline Of Kubernetes Process Resource Ratio id: 427f81cf-ce6a-4a24-a73d-70c50171ea66 -version: 1 -date: '2023-12-18' +version: 2 +date: '2024-09-24' author: Matthew Moore, Splunk type: Baseline datamodel: [] @@ -20,7 +20,7 @@ search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host | stats avg(cpu:mem) as avg_cpu:mem stdev(cpu:mem) as stdev_cpu:mem avg(cpu:disk) as avg_cpu:disk stdev(cpu:disk) as stdev_cpu:disk avg(mem:disk) as avg_mem:disk stdev(mem:disk) as stdev_mem:disk avg(cpu:threads) as avg_cpu:threads stdev(cpu:threads) as stdev_cpu:threads avg(disk:threads) as avg_disk:threads stdev(disk:threads) as stdev_disk:threads count latest(_time) as last_seen by key - | outputlookup k8s_process_resource_ratio_baseline ' + | outputlookup k8s_process_resource_ratio_baseline' how_to_implement: 'To implement this detection, follow these steps: 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process receiver in the OTEL configuration. diff --git a/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml b/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml index 360385d549..d023ee8e70 100644 --- a/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml +++ b/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml @@ -1,6 +1,6 @@ name: O365 SharePoint Allowed Domains Policy Changed id: b0cc6fa8-39b1-49ac-a4fe-f2f2a668e06c -version: 2 +version: 3 date: '2024-09-24' author: Steven Dick status: production @@ -8,7 +8,7 @@ type: TTP description: The following analytic identifies when the allowed domain settings for O365 SharePoint have been changed. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations may also need access to OneDrive/SharePoint resources. These changed should be monitored by security teams as they could potentially lead to unauthorized access. data_source: - O365 Universal Audit Log -search: > +search: >- `o365_management_activity` Workload=SharePoint Operation=SharingPolicyChanged "ModifiedProperties{}.Name"=AllowDomainList | eval signature_id = CorrelationId, signature=Operation, src = ClientIP, user = UserId, object_name='ModifiedProperties{}.Name', object_attrs_new = split(replace('ModifiedProperties{}.NewValue',"\.\.\.",""),","), object_attrs_old = split(replace('ModifiedProperties{}.OldValue',"\.\.\.",""),",") | stats values(object_attrs_new) as object_attrs_new, values(object_attrs_old) as object_attrs_old, values(src) as src, count, min(_time) as firstTime, max(_time) as lastTime by user,signature,signature_id,object_name diff --git a/investigations/get_dns_traffic_ratio.yml b/investigations/get_dns_traffic_ratio.yml index f02687135e..ee8600d8bc 100644 --- a/investigations/get_dns_traffic_ratio.yml +++ b/investigations/get_dns_traffic_ratio.yml @@ -1,7 +1,7 @@ name: Get DNS traffic ratio id: bc91a8cf-35e7-4bb2-8140-e756cc06fd73 -version: 1 -date: '2017-11-09' +version: 2 +date: '2024-09-24' author: Bhavin Patel, Splunk type: Investigation datamodel: @@ -10,7 +10,7 @@ description: 'This search calculates the ratio of DNS traffic originating and co from a host to a list of DNS servers over the last 24 hours. A high value of this ratio could be very useful to quickly understand if a src_ip (host) is sending a high volume of data out via port 53, could be an indicator of data exfiltration - via DNS. ' + via DNS.' search: '| tstats allow_old_summaries=true sum(All_Traffic.bytes_out) as "bytes_out" sum(All_Traffic.bytes_in) as "bytes_in" from datamodel=Network_Traffic where nodename=All_Traffic All_Traffic.dest_port=53 by All_Traffic.src All_Traffic.dest| `drop_dm_object_name(All_Traffic)` diff --git a/investigations/investigate_aws_user_activities_by_user_field.yml b/investigations/investigate_aws_user_activities_by_user_field.yml index 8b8f3a6091..b57a5b8bcb 100644 --- a/investigations/investigate_aws_user_activities_by_user_field.yml +++ b/investigations/investigate_aws_user_activities_by_user_field.yml @@ -1,7 +1,7 @@ name: Investigate AWS User Activities by user field id: bc91a8cd-35e7-4bb2-6140-e756cc46fd76 -version: 1 -date: '2018-03-12' +version: 2 +date: '2024-09-24' author: Bhavin Patel, Splunk type: Investigation datamodel: [] @@ -10,7 +10,7 @@ description: This search lists all the logged CloudTrail activities by a specifi activity, the name and type of the event, the action taken, and the user's identity information. search: '`cloudtrail` user=$user$ | table _time userIdentity.type userIdentity.userName - userIdentity.arn aws_account_id src awsRegion eventName eventType ' + userIdentity.arn aws_account_id src awsRegion eventName eventType' how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. diff --git a/investigations/investigate_pass_the_ticket_attempts.yml b/investigations/investigate_pass_the_ticket_attempts.yml index 095a1e471c..aec933ac8b 100644 --- a/investigations/investigate_pass_the_ticket_attempts.yml +++ b/investigations/investigate_pass_the_ticket_attempts.yml @@ -1,7 +1,7 @@ name: Investigate Pass the Ticket Attempts id: 990007ad-d798-4b29-ab2f-f0034144c937 -version: 1 -date: '2019-12-10' +version: 2 +date: '2024-09-24' author: Patrick Bareiss, Splunk type: Investigation datamodel: [] @@ -9,7 +9,7 @@ description: This search hunts for dumped kerberos ticket from LSASS memory. search: '`wineventlog_security` EventCode=4768 OR EventCode=4769 | rex field=user "(?[^\@]+)" | stats count BY new_user, dest, EventCode | stats max(count) AS max_count sum(count) AS sum_count BY new_user, dest| search dest=$dest$ | where - sum_count/max_count!=2 | rename new_user AS user ' + sum_count/max_count!=2 | rename new_user AS user' how_to_implement: To successfully implement this search you need to be ingesting windows security logs. This search uses an input macro named `wineventlog_security`. We strongly recommend that you specify your environment-specific configurations (index, diff --git a/investigations/investigate_successful_remote_desktop_authentications.yml b/investigations/investigate_successful_remote_desktop_authentications.yml index 0ef0b02006..2188ea6be0 100644 --- a/investigations/investigate_successful_remote_desktop_authentications.yml +++ b/investigations/investigate_successful_remote_desktop_authentications.yml @@ -1,14 +1,14 @@ name: Investigate Successful Remote Desktop Authentications id: b6618e8e-be04-40a0-a0b9-f0bd4b6c81bc -version: 1 -date: '2018-12-14' +version: 2 +date: '2024-09-24' author: Jose Hernandez, Splunk type: Investigation datamodel: - Authentication description: 'This search returns the source, destination, and user for all successful remote-desktop authentications. A successful authentication after a brute-force - attack on a destination machine is suspicious behavior. ' + attack on a destination machine is suspicious behavior.' search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature_id=4624 Authentication.app=win:remote by Authentication.src Authentication.dest Authentication.app diff --git a/investigations/investigate_web_posts_from_src.yml b/investigations/investigate_web_posts_from_src.yml index 4a5cfe9dc2..66a9f47209 100644 --- a/investigations/investigate_web_posts_from_src.yml +++ b/investigations/investigate_web_posts_from_src.yml @@ -1,14 +1,14 @@ name: Investigate Web POSTs From src id: f5c39fac-205c-4e07-9004-8fd61ea3431a -version: 1 -date: '2018-12-06' +version: 2 +date: '2024-09-24' author: Jose Hernandez, Splunk type: Investigation datamodel: - Web description: 'This investigative search retrieves POST requests from a specified source IP or hostname. Identifying the POST requests, as well as their associated destination - URLs and user agent(s), may help you scope and characterize the suspicious traffic. ' + URLs and user agent(s), may help you scope and characterize the suspicious traffic.' search: '| tstats `security_content_summariesonly` values(Web.url) as url from datamodel=Web by Web.src,Web.http_user_agent,Web.http_method | `drop_dm_object_name("Web")`| search http_method, "POST" | search src=$src$' diff --git a/stories/aws_iam_privilege_escalation.yml b/stories/aws_iam_privilege_escalation.yml index 3e36b29677..6d08eaa713 100644 --- a/stories/aws_iam_privilege_escalation.yml +++ b/stories/aws_iam_privilege_escalation.yml @@ -1,7 +1,7 @@ name: AWS IAM Privilege Escalation id: ced74200-8465-4bc3-bd2c-22782eec6750 -version: 1 -date: '2021-03-08' +version: 2 +date: '2024-09-24' author: Bhavin Patel, Splunk description: This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation. @@ -16,7 +16,7 @@ narrative: 'Amazon Web Services provides a neat feature called Identity and Acce detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious - events via this Analytic Story. ' + events via this Analytic Story.' references: - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ - https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect diff --git a/stories/azure_active_directory_persistence.yml b/stories/azure_active_directory_persistence.yml index 092f886c25..6f6bc34c18 100644 --- a/stories/azure_active_directory_persistence.yml +++ b/stories/azure_active_directory_persistence.yml @@ -1,7 +1,7 @@ name: Azure Active Directory Persistence id: dca983db-6334-4a0d-be32-80611ca1396c -version: 1 -date: '2022-08-17' +version: 2 +date: '2024-09-24' author: Mauricio Velazco, Splunk description: Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants. @@ -9,8 +9,7 @@ narrative: 'Azure Active Directory (Azure AD) is Microsofts enterprise cloud-bas services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. - This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. - ' + This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants.' references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis - https://azure.microsoft.com/en-us/services/active-directory/#overview diff --git a/stories/collection_and_staging.yml b/stories/collection_and_staging.yml index 15bc09195e..484b6aad63 100644 --- a/stories/collection_and_staging.yml +++ b/stories/collection_and_staging.yml @@ -1,12 +1,12 @@ name: Collection and Staging id: 8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a -version: 1 -date: '2020-02-03' +version: 2 +date: '2024-09-24' author: Rico Valdez, Splunk description: 'Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating - sensitive data. ' + sensitive data.' narrative: "A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important diff --git a/stories/deprecated/common_phishing_frameworks.yml b/stories/deprecated/common_phishing_frameworks.yml index 95462f4798..c052315506 100644 --- a/stories/deprecated/common_phishing_frameworks.yml +++ b/stories/deprecated/common_phishing_frameworks.yml @@ -1,12 +1,12 @@ name: Common Phishing Frameworks id: 9a64ab44-9214-4639-8163-7eaa2621bd61 -version: 1 -date: '2019-04-29' +version: 2 +date: '2024-09-24' author: Splunk Research Team, Splunk type: batch description: 'Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on - a malicious link in a phishing email. ' + a malicious link in a phishing email.' narrative: 'As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), diff --git a/stories/deprecated/lateral_movement.yml b/stories/deprecated/lateral_movement.yml index fa03562798..6526b1196d 100644 --- a/stories/deprecated/lateral_movement.yml +++ b/stories/deprecated/lateral_movement.yml @@ -1,10 +1,10 @@ name: Lateral Movement id: 399d65dc-1f08-499b-a259-abd9051f38ad -version: 2 -date: '2020-02-04' +version: 3 +date: '2024-09-24' author: David Dorsey, Splunk type: batch -description: " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts." +description: "DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts." narrative: "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software." references: - https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html diff --git a/stories/deprecated/monitor_for_unauthorized_software.yml b/stories/deprecated/monitor_for_unauthorized_software.yml index f94433c67e..cfdf6a1fc6 100644 --- a/stories/deprecated/monitor_for_unauthorized_software.yml +++ b/stories/deprecated/monitor_for_unauthorized_software.yml @@ -1,11 +1,11 @@ name: Monitor for Unauthorized Software id: 8892a655-6205-43f7-abba-06460e38c8ae -version: 1 -date: '2017-09-15' +version: 2 +date: '2024-09-24' author: David Dorsey, Splunk type: batch description: 'Identify and investigate prohibited/unauthorized software or processes - that may be concealing malicious behavior within your environment. ' + that may be concealing malicious behavior within your environment.' narrative: 'It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within @@ -18,7 +18,7 @@ narrative: 'It is critical to identify unauthorized software and processes runni It is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. - For best results, schedule the search to run every two weeks. ' + For best results, schedule the search to run every two weeks.' references: - https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ tags: diff --git a/stories/emotet_malware_dhs_report_ta18_201a.yml b/stories/emotet_malware_dhs_report_ta18_201a.yml index cd8bf16c3b..b651506c10 100644 --- a/stories/emotet_malware_dhs_report_ta18_201a.yml +++ b/stories/emotet_malware_dhs_report_ta18_201a.yml @@ -1,7 +1,7 @@ name: Emotet Malware DHS Report TA18-201A id: bb9f5ed2-916e-4364-bb6d-91c310efcf52 -version: 1 -date: '2020-01-27' +version: 2 +date: '2024-09-24' author: Bhavin Patel, Splunk description: Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch @@ -24,7 +24,7 @@ narrative: 'The trojan downloader known as Emotet first surfaced in 2014, when i used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised - your environment. ' + your environment.' references: - https://www.us-cert.gov/ncas/alerts/TA18-201A - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf diff --git a/stories/ivanti_epm_vulnerabilities.yml b/stories/ivanti_epm_vulnerabilities.yml index 2c6e509ef0..aa170bc81e 100644 --- a/stories/ivanti_epm_vulnerabilities.yml +++ b/stories/ivanti_epm_vulnerabilities.yml @@ -1,11 +1,11 @@ name: Ivanti EPM Vulnerabilities id: 4dcadae4-df82-42f3-9e77-4d852d20ac78 -version: 1 -date: '2024-06-18' +version: 2 +date: '2024-09-24' author: Michael Haag, Splunk -description: | +description: |- This analytic story covers various vulnerabilities identified in Ivanti Endpoint Manager (EPM), including but not limited to SQL injection, remote code execution, and privilege escalation. These vulnerabilities can potentially be exploited by adversaries to gain unauthorized access, execute arbitrary code, and compromise the security of managed endpoints. -narrative: | +narrative: |- Ivanti Endpoint Manager (EPM) is a comprehensive solution for managing and securing enterprise endpoints. However, like any complex software, it is not immune to vulnerabilities. This story aggregates multiple CVEs affecting Ivanti EPM, providing insights into different types of security weaknesses such as SQL injection, remote code execution, and privilege escalation. By understanding and monitoring these vulnerabilities, organizations can better protect their infrastructure from potential attacks and ensure the integrity and security of their managed devices. references: - https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/ diff --git a/stories/spring4shell_cve_2022_22965.yml b/stories/spring4shell_cve_2022_22965.yml index e4364c10dc..08345cf642 100644 --- a/stories/spring4shell_cve_2022_22965.yml +++ b/stories/spring4shell_cve_2022_22965.yml @@ -1,7 +1,7 @@ name: Spring4Shell CVE-2022-22965 id: dcc19913-6918-4ed2-bbba-a6b484c10ef4 -version: 1 -date: '2022-04-05' +version: 2 +date: '2024-09-24' author: Michael Haag, Splunk description: Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications. narrative: 'An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration. @@ -14,9 +14,7 @@ According to Spring, the following requirements were included in the vulnerabili - Packaged as a WAR -- spring-webmvc or spring-webflux dependency - -' +- spring-webmvc or spring-webflux dependency' references: - https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability tags: diff --git a/stories/suspicious_aws_login_activities.yml b/stories/suspicious_aws_login_activities.yml index 3191cce15d..8ec3aab745 100644 --- a/stories/suspicious_aws_login_activities.yml +++ b/stories/suspicious_aws_login_activities.yml @@ -1,11 +1,11 @@ name: Suspicious AWS Login Activities id: 2e8948a5-5239-406b-b56b-6c59f1268af3 -version: 1 -date: '2019-05-01' +version: 2 +date: '2024-09-24' author: Bhavin Patel, Splunk description: 'Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious - logins. ' + logins.' narrative: It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can diff --git a/stories/suspicious_cloud_authentication_activities.yml b/stories/suspicious_cloud_authentication_activities.yml index 06f70b776c..44c0e56a6e 100644 --- a/stories/suspicious_cloud_authentication_activities.yml +++ b/stories/suspicious_cloud_authentication_activities.yml @@ -1,11 +1,11 @@ name: Suspicious Cloud Authentication Activities id: 6380ebbb-55c5-4fce-b754-01fd565fb73c -version: 1 -date: '2020-06-04' +version: 2 +date: '2024-09-24' author: Rico Valdez, Splunk description: 'Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help - you stay aware of and investigate suspicious login activity. ' + you stay aware of and investigate suspicious login activity.' narrative: 'It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary diff --git a/stories/suspicious_regsvcs_regasm_activity.yml b/stories/suspicious_regsvcs_regasm_activity.yml index 09be2339ed..2196acbe57 100644 --- a/stories/suspicious_regsvcs_regasm_activity.yml +++ b/stories/suspicious_regsvcs_regasm_activity.yml @@ -1,10 +1,10 @@ author: Michael Haag, Splunk -date: '2021-02-11' +date: '2024-09-24' description: Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code. id: 2cdf33a0-4805-4b61-b025-59c20f418fbe name: Suspicious Regsvcs Regasm Activity -narrative: ' Adversaries may abuse Regsvcs and Regasm to proxy execution of code through +narrative: 'Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious @@ -23,4 +23,4 @@ tags: - Splunk Enterprise Security - Splunk Cloud usecase: Advanced Threat Detection -version: 1 +version: 2 diff --git a/stories/windows_defense_evasion_tactics.yml b/stories/windows_defense_evasion_tactics.yml index bb117a7a09..b700bfb835 100644 --- a/stories/windows_defense_evasion_tactics.yml +++ b/stories/windows_defense_evasion_tactics.yml @@ -1,11 +1,11 @@ name: Windows Defense Evasion Tactics id: 56e24a28-5003-4047-b2db-e8f3c4618064 -version: 1 -date: '2018-05-31' +version: 2 +date: '2024-09-24' author: David Dorsey, Splunk description: 'Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` - and disabling user-account control, among many others ' + and disabling user-account control, among many others' narrative: Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable From cba6e93c12d065d2e5ecac5b2958a1e86d9b2aab Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Wed, 25 Sep 2024 09:30:27 -0700 Subject: [PATCH 5/5] update workflow to fix appinspect and version checking --- .github/workflows/appinspect.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml index 4d027af9a1..c386dfc443 100644 --- a/.github/workflows/appinspect.yml +++ b/.github/workflows/appinspect.yml @@ -1,10 +1,9 @@ name: appinspect on: pull_request_target: + pull_request: + types: [opened, reopened, synchronize] push: - branches: - - develop - jobs: appinspect: runs-on: ubuntu-latest