Merge branch 'develop' into nterl0k-t1036-lolbash-your-face

.github/labeler.yml

@@ -0,0 +1,21 @@
+Detections:
+- changed-files:
+  - any-glob-to-any-file: 
+    - detections/**
+    - dev/**
+
+Stories:
+- changed-files:
+  - any-glob-to-any-file: stories/*
+
+Playbooks:
+- changed-files:
+  - any-glob-to-any-file: playbooks/*
+
+Macros:
+- changed-files:
+  - any-glob-to-any-file: macros/*
+
+Lookups:
+- changed-files:
+  - any-glob-to-any-file: lookups/*

.github/workflows/labeler.yml

@@ -0,0 +1,18 @@
+name: "Pull Request Labeler"
+on:
+- pull_request_target
+
+jobs:
+  labeler:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with: 
+        repository: "splunk/security_content"
+    - uses: actions/labeler@v5
+      with:
+        sync-labels: true
+        configuration-path: '.github/labeler.yml'

detections/endpoint/disable_logs_using_wevtutil.yml

@@ -1,7 +1,7 @@
 name: Disable Logs Using WevtUtil
 id: 236e7c8e-c9d9-11eb-a824-acde48001122
-version: 2
-date: '2024-05-13'
+version: 3
+date: '2024-07-23'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -41,7 +41,7 @@ tags:
   asset_type: Endpoint
   confidence: 80
   impact: 30
-  message: WevtUtil.exe used to disable Event Logging on $dest
+  message: WevtUtil.exe used to disable Event Logging on $dest$
   mitre_attack_id:
   - T1070
   - T1070.001
@@ -73,3 +73,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog
+# version bumped by pre-commit hook

detections/endpoint/disable_windows_behavior_monitoring.yml

@@ -1,7 +1,7 @@
 name: Disable Windows Behavior Monitoring
 id: 79439cae-9200-11eb-a4d3-acde48001122
-version: 6
-date: '2024-05-18'
+version: 7
+date: '2024-07-23'
 author: Steven Dick, Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -48,7 +48,7 @@ tags:
   asset_type: Endpoint
   confidence: 100
   impact: 40
-  message: Windows Defender real time behavior monitoring disabled on $dest
+  message: Windows Defender real time behavior monitoring disabled on $dest$
   mitre_attack_id:
   - T1562.001
   - T1562
@@ -78,3 +78,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog
+# version bumped by pre-commit hook

detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml

@@ -1,7 +1,7 @@
 name: Remote Process Instantiation via DCOM and PowerShell
 id: d4f42098-4680-11ec-ad07-3e22fbd008af
-version: 2
-date: '2024-05-20'
+version: 3
+date: '2024-07-23'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -42,7 +42,7 @@ tags:
   asset_type: Endpoint
   confidence: 70
   impact: 90
-  message: A process was started on a remote endpoint from $dest by abusing DCOM using
+  message: A process was started on a remote endpoint from $dest$ by abusing DCOM using
     PowerShell.exe
   mitre_attack_id:
   - T1021
@@ -78,3 +78,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog
+# version bumped by pre-commit hook

detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml

@@ -1,7 +1,7 @@
 name: Remote Process Instantiation via WinRM and PowerShell
 id: ba24cda8-4716-11ec-8009-3e22fbd008af
-version: 2
-date: '2024-05-14'
+version: 3
+date: '2024-07-23'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -42,7 +42,7 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 90
-  message: A process was started on a remote endpoint from $dest by abusing WinRM
+  message: A process was started on a remote endpoint from $dest$ by abusing WinRM
     using PowerShell.exe
   mitre_attack_id:
   - T1021
@@ -78,3 +78,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog
+# version bumped by pre-commit hook

detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml

@@ -1,7 +1,7 @@
 name: Remote Process Instantiation via WinRM and Winrs
 id: 0dd296a2-4338-11ec-ba02-3e22fbd008af
-version: 2
-date: '2024-05-16'
+version: 3
+date: '2024-07-23'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -42,7 +42,7 @@ tags:
   asset_type: Endpoint
   confidence: 60
   impact: 90
-  message: A process was started on a remote endpoint from $dest
+  message: A process was started on a remote endpoint from $dest$
   mitre_attack_id:
   - T1021
   - T1021.006
@@ -77,3 +77,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog
+# version bumped by pre-commit hook

detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml

@@ -1,7 +1,7 @@
 name: Scheduled Task Creation on Remote Endpoint using At
 id: 4be54858-432f-11ec-8209-3e22fbd008af
-version: 2
-date: '2024-05-24'
+version: 3
+date: '2024-07-23'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -43,7 +43,7 @@ tags:
   asset_type: Endpoint
   confidence: 60
   impact: 90
-  message: A Windows Scheduled Task was created on a remote endpoint from $dest
+  message: A Windows Scheduled Task was created on a remote endpoint from $dest$
   mitre_attack_id:
   - T1053
   - T1053.002
@@ -78,3 +78,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog
+# version bumped by pre-commit hook

detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml

@@ -1,7 +1,7 @@
 name: Scheduled Task Initiation on Remote Endpoint
 id: 95cf4608-4302-11ec-8194-3e22fbd008af
-version: 2
-date: '2024-05-25'
+version: 3
+date: '2024-07-23'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -42,7 +42,7 @@ tags:
   asset_type: Endpoint
   confidence: 60
   impact: 90
-  message: A Windows Scheduled Task was ran on a remote endpoint from $dest
+  message: A Windows Scheduled Task was ran on a remote endpoint from $dest$
   mitre_attack_id:
   - T1053
   - T1053.005
@@ -77,3 +77,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog
+# version bumped by pre-commit hook

detections/endpoint/windows_new_inprocserver32_added.yml

@@ -1,7 +1,7 @@
 name: Windows New InProcServer32 Added
 id: 0fa86e31-0f73-4ec7-9ca3-dc88e117f1db
-version: 2
-date: '2024-05-13'
+version: 3
+date: '2024-07-23'
 author: Michael Haag, Splunk
 data_source:
 - Sysmon EventID 13
@@ -57,11 +57,12 @@ tags:
   risk_score: 2
   security_domain: endpoint
   cve:
-  - cve-2024-21378
+  - CVE-2024-21378
 tests:
 - name: True Positive Test
   attack_data:
   - data: 
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log
     sourcetype: xmlwineventlog
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+# version bumped by pre-commit hook

detections/endpoint/windows_service_creation_on_remote_endpoint.yml

@@ -1,7 +1,7 @@
 name: Windows Service Creation on Remote Endpoint
 id: e0eea4fa-4274-11ec-882b-3e22fbd008af
-version: 2
-date: '2024-05-21'
+version: 3
+date: '2024-07-23'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -44,7 +44,7 @@ tags:
   asset_type: Endpoint
   confidence: 60
   impact: 90
-  message: A Windows Service was created on a remote endpoint from $dest
+  message: A Windows Service was created on a remote endpoint from $dest$
   mitre_attack_id:
   - T1543
   - T1543.003
@@ -79,3 +79,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog
+# version bumped by pre-commit hook

detections/endpoint/windows_service_initiation_on_remote_endpoint.yml

@@ -1,7 +1,7 @@
 name: Windows Service Initiation on Remote Endpoint
 id: 3f519894-4276-11ec-ab02-3e22fbd008af
-version: 2
-date: '2024-05-10'
+version: 3
+date: '2024-07-23'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -41,7 +41,7 @@ tags:
   asset_type: Endpoint
   confidence: 60
   impact: 90
-  message: A Windows Service was started on a remote endpoint from $dest
+  message: A Windows Service was started on a remote endpoint from $dest$
   mitre_attack_id:
   - T1543
   - T1543.003
@@ -76,3 +76,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog
+# version bumped by pre-commit hook