diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3d613bad10..57c9873004 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,7 +23,7 @@ jobs: - name: Install Python Dependencies and ContentCTL and Atomic Red Team run: | - pip install contentctl + pip install contentctl==4.1.5 git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git - name: Running build with enrichments diff --git a/.github/workflows/unit-testing.yml b/.github/workflows/unit-testing.yml index ea3edbefcb..1535f2d09e 100644 --- a/.github/workflows/unit-testing.yml +++ b/.github/workflows/unit-testing.yml @@ -24,7 +24,7 @@ jobs: - name: Install Python Dependencies and ContentCTL run: | python -m pip install --upgrade pip - pip install contentctl + pip install contentctl==4.1.5 # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop # Make sure we check out the PR, even if it actually lives in a fork diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml index 5eb632163f..1fdb7b4204 100644 --- a/detections/endpoint/detect_renamed_psexec.yml +++ b/detections/endpoint/detect_renamed_psexec.yml @@ -1,8 +1,8 @@ name: Detect Renamed PSExec id: 683e6196-b8e8-11eb-9a79-acde48001122 -version: 5 -date: '2024-05-11' -author: Michael Haag, Splunk +version: 6 +date: '2024-07-23' +author: Michael Haag, Splunk, Alex Oberkircher, Github Community status: production type: Hunting description: The following analytic identifies instances where `PsExec.exe` has been @@ -16,7 +16,7 @@ data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe - OR Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c + AND Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index aec10199f4..c0991f8e37 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -1,8 +1,8 @@ name: Scheduled Task Initiation on Remote Endpoint id: 95cf4608-4302-11ec-8194-3e22fbd008af -version: 3 +version: 4 date: '2024-07-23' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Splunk, Badoodish, Github Community status: production type: TTP description: The following analytic detects the use of 'schtasks.exe' to start a Scheduled @@ -16,7 +16,7 @@ data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe - OR Processes.original_file_name=schtasks.exe) (Processes.process=*/s* AND Processes.process=*/run*) + OR Processes.original_file_name=schtasks.exe) (Processes.process= "* /S *" AND Processes.process=*/run*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter`' diff --git a/lookups/__mlspl_risky_spl_pre_trained_model.mlmodel b/lookups/__mlspl_risky_spl_pre_trained_model.mlmodel deleted file mode 100644 index 5aa2f7fd9c..0000000000 --- a/lookups/__mlspl_risky_spl_pre_trained_model.mlmodel +++ /dev/null @@ -1,2 +0,0 @@ -algo,model,options -DetectRiskySPL,"{""__mlspl_type"": [""algos.DetectRiskySPL"", ""DetectRiskySPL""], ""dict"": {""classes"": null, ""target_variable"": [""risk_score""], ""feature_variables"": [""spl_text""], ""columns"": [""spl_text""], ""estimator"": {""__mlspl_type"": [""sklearn.pipeline"", ""Pipeline""], ""dict"": {""steps"": [[""features"", {""__mlspl_type"": [""sklearn.feature_extraction.text"", ""CountVectorizer""], ""dict"": {""input"": ""content"", ""encoding"": ""utf-8"", ""decode_error"": ""strict"", ""strip_accents"": null, ""preprocessor"": null, ""tokenizer"": null, ""analyzer"": ""word"", ""lowercase"": true, ""token_pattern"": "" collect | delete | fit | outputcsv | outputlookup |adhoc| sendalert | sendemail |splunk\\-system\\-user| tscollect | run | script | runshellscript "", ""stop_words"": null, ""max_df"": 1.0, ""min_df"": 1, ""max_features"": null, ""ngram_range"": [1, 1], ""vocabulary"": null, ""binary"": false, ""dtype"": {""__mlspl_type"": [""builtins"", ""type""], ""type"": [""numpy"", ""int64""]}, ""fixed_vocabulary_"": false, ""_stop_words_id"": 94300723879360, ""stop_words_"": {""__mlspl_type"": [""builtins"", ""set""], ""set"": []}, ""vocabulary_"": {""splunk-system-user"": 12, "" delete "": 1, ""adhoc"": 11, "" outputlookup "": 4, "" script "": 7, "" run "": 5, "" collect "": 0, "" sendemail "": 9, "" sendalert "": 8, "" outputcsv "": 3, "" fit "": 2, "" runshellscript "": 6, "" tscollect "": 10}}}], [""predictor"", {""__mlspl_type"": [""sklearn.linear_model._logistic"", ""LogisticRegression""], ""dict"": {""penalty"": ""l2"", ""dual"": false, ""tol"": 0.0001, ""C"": 1.0, ""fit_intercept"": true, ""intercept_scaling"": 1, ""class_weight"": {""0"": 1, ""1"": 10}, ""random_state"": null, ""solver"": ""liblinear"", ""max_iter"": 100, ""multi_class"": ""auto"", ""verbose"": 0, ""warm_start"": false, ""n_jobs"": null, ""l1_ratio"": null, ""n_features_in_"": 13, ""classes_"": {""__mlspl_type"": [""numpy"", ""ndarray""], ""npy"": ""k05VTVBZAQB2AHsnZGVzY3InOiAnPGk4JywgJ2ZvcnRyYW5fb3JkZXInOiBGYWxzZSwgJ3NoYXBlJzogKDIsKSwgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAoAAAAAAAAAAAEAAAAAAAAA""}, ""coef_"": {""__mlspl_type"": [""numpy"", ""ndarray""], ""npy"": ""k05VTVBZAQB2AHsnZGVzY3InOiAnPGY4JywgJ2ZvcnRyYW5fb3JkZXInOiBGYWxzZSwgJ3NoYXBlJzogKDEsIDEzKSwgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAqulbT8VG8TQJU6VfC9QuY/kCCmapJVFUDQl14TS2ApPw5vYc32jBxAxVuQ3Sv35D8Y+azG/kDmP9vpUE0rTwlALsMVcoUGE0ASjjFaKyMaQA2zZ/yMQRZAQLZHc97OHEAfrzTDBGwSwA==""}, ""intercept_"": {""__mlspl_type"": [""numpy"", ""ndarray""], ""npy"": ""k05VTVBZAQB2AHsnZGVzY3InOiAnPGY4JywgJ2ZvcnRyYW5fb3JkZXInOiBGYWxzZSwgJ3NoYXBlJzogKDEsKSwgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAqBnhyKtBckwA==""}, ""n_iter_"": {""__mlspl_type"": [""numpy"", ""ndarray""], ""npy"": ""k05VTVBZAQB2AHsnZGVzY3InOiAnPGk0JywgJ2ZvcnRyYW5fb3JkZXInOiBGYWxzZSwgJ3NoYXBlJzogKDEsKSwgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAoLAAAA""}}}]], ""memory"": null, ""verbose"": false}}}}","{""args"": [""risk_score"", ""spl_text""], ""target_variable"": [""risk_score""], ""feature_variables"": [""spl_text""], ""model_name"": ""risky_spl_pre_trained_model"", ""algo_name"": ""LogisticRegression"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""1024"", ""max_model_size_mb"": ""15"", ""max_score_time"": ""600"", ""streaming_apply"": ""false"", ""use_sampling"": ""true""}, ""kfold_cv"": null}" diff --git a/lookups/__mlspl_risky_spl_pre_trained_model.yml b/lookups/__mlspl_risky_spl_pre_trained_model.yml deleted file mode 100644 index da0fe9b35e..0000000000 --- a/lookups/__mlspl_risky_spl_pre_trained_model.yml +++ /dev/null @@ -1,6 +0,0 @@ -description: Detect Risky SPL using Pretrained ML Model -filename: __mlspl_risky_spl_pre_trained_model.mlmodel -name: __mlspl_risky_spl_pre_trained_model -case_sensitive_match: 'false' -min_matches: 1 -default_match: 'false' diff --git a/lookups/splunk_risky_command.yml b/lookups/splunk_risky_command.yml deleted file mode 100644 index ece0089986..0000000000 --- a/lookups/splunk_risky_command.yml +++ /dev/null @@ -1,7 +0,0 @@ -description: A list of Risky Splunk Command that are candidates for abuse -filename: splunk_risky_command_20240601.csv -name: splunk_risky_command -default_match: 'false' -match_type: WILDCARD(splunk_risky_command) -min_matches: 1 -case_sensitive_match: 'false' diff --git a/lookups/splunk_risky_command_20240601.csv b/lookups/splunk_risky_command_20240601.csv deleted file mode 100644 index 50e03f2c2f..0000000000 --- a/lookups/splunk_risky_command_20240601.csv +++ /dev/null @@ -1,16 +0,0 @@ -"splunk_risky_command","description","vulnerable_versions","CVE","other_metadata" -"*createrss*","createrss command overwrites existing RSS feeds without verifying permissions","8.1.13, 8.2.10","CVE-2023-22931", -"*pivot?seedSid=*","pivot command allows a search to bypass SPL safeguards for risky commands using a saved job","8.1.13, 8.2.10, 9.0.4","CVE-2023-22934", -"*|makeresults+&search_listener*","search_listener parameter in a Search allows for a Blind Server Side Request Forgery by an authenticated user","8.1.13, 8.2.10, 9.0.4","CVE-2023-22936", -"*| map search=*| *","map search processing language (SPL) command lets a search bypass SPL safeguards for risky commands","8.1.13, 8.2.10, 9.0.4","CVE-2023-22939", -"*|mcollect%20index*","collect command SPL aliases commands could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940", -"*|""*meventcollect*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940", -"*|""*summaryindex*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940", -"*|""*sumindex*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940", -"*|""*stash*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940", -"*| sendalert *","display.page.search.patterns.sensitivity search parameter allows a search to bypass SPL safeguards for risky commands using obfuscation","8.1.13, 8.2.10, 9.0.4","CVE-2023-22935", -"*|*runshellscript*","runshellscript searches should not be run interactively via User Interface or REST API and may be used to bypass safeguards; -runshellscript may be abused to exploit legacy internal functions in external lookups leading to arbitrary code execution","<8.1.14, <8.2.12, <9.0.6, <9.1.1; -<8.2.12, <9.0.6, <9.1.1","CVE-2023-40598, CVE-2023-46214", -"*|*mrollup*","The “mrollup” SPL command lets a low-privileged user view metrics on an index that they do not have permission to view. This vulnerability requires user interaction from a high-privileged user to exploit.","<9.0.8, <9.1.3, <9.1.2308.200","CVE-2024-23676", -"*|*mstats*", "The "mstats" SPL command lets malicious user can control a search query in Analytics Workspace using params from another search (via job SID) and quotation mark ' ' and " incorrect handling", "<9.0.10, <9.1.5, <9.2.2","CVE-2024-36984" \ No newline at end of file