diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000000..98a5d03fc0 --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,21 @@ +Detections: +- changed-files: + - any-glob-to-any-file: + - detections/** + - dev/** + +Stories: +- changed-files: + - any-glob-to-any-file: stories/* + +Playbooks: +- changed-files: + - any-glob-to-any-file: playbooks/* + +Macros: +- changed-files: + - any-glob-to-any-file: macros/* + +Lookups: +- changed-files: + - any-glob-to-any-file: lookups/* \ No newline at end of file diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml new file mode 100644 index 0000000000..d847ab278d --- /dev/null +++ b/.github/workflows/labeler.yml @@ -0,0 +1,18 @@ +name: "Pull Request Labeler" +on: +- pull_request_target + +jobs: + labeler: + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + repository: "splunk/security_content" + - uses: actions/labeler@v5 + with: + sync-labels: true + configuration-path: '.github/labeler.yml' \ No newline at end of file diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index 8e9b434c05..d6d862df55 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -1,7 +1,7 @@ name: Disable Logs Using WevtUtil id: 236e7c8e-c9d9-11eb-a824-acde48001122 -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-07-23' author: Teoderick Contreras, Splunk status: production type: TTP @@ -41,7 +41,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 30 - message: WevtUtil.exe used to disable Event Logging on $dest + message: WevtUtil.exe used to disable Event Logging on $dest$ mitre_attack_id: - T1070 - T1070.001 @@ -73,3 +73,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 5c5df98512..faeab8144f 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -1,7 +1,7 @@ name: Disable Windows Behavior Monitoring id: 79439cae-9200-11eb-a4d3-acde48001122 -version: 6 -date: '2024-05-18' +version: 7 +date: '2024-07-23' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP @@ -48,7 +48,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 40 - message: Windows Defender real time behavior monitoring disabled on $dest + message: Windows Defender real time behavior monitoring disabled on $dest$ mitre_attack_id: - T1562.001 - T1562 @@ -78,3 +78,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml index 6f3ea167d8..8dc4550c8c 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via DCOM and PowerShell id: d4f42098-4680-11ec-ad07-3e22fbd008af -version: 2 -date: '2024-05-20' +version: 3 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -42,7 +42,7 @@ tags: asset_type: Endpoint confidence: 70 impact: 90 - message: A process was started on a remote endpoint from $dest by abusing DCOM using + message: A process was started on a remote endpoint from $dest$ by abusing DCOM using PowerShell.exe mitre_attack_id: - T1021 @@ -78,3 +78,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml index 9e728ff016..af56428100 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via WinRM and PowerShell id: ba24cda8-4716-11ec-8009-3e22fbd008af -version: 2 -date: '2024-05-14' +version: 3 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -42,7 +42,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 90 - message: A process was started on a remote endpoint from $dest by abusing WinRM + message: A process was started on a remote endpoint from $dest$ by abusing WinRM using PowerShell.exe mitre_attack_id: - T1021 @@ -78,3 +78,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml index 0e1089703d..dc49246063 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via WinRM and Winrs id: 0dd296a2-4338-11ec-ba02-3e22fbd008af -version: 2 -date: '2024-05-16' +version: 3 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -42,7 +42,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 90 - message: A process was started on a remote endpoint from $dest + message: A process was started on a remote endpoint from $dest$ mitre_attack_id: - T1021 - T1021.006 @@ -77,3 +77,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index 6462ab1b60..837dcae27a 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -1,7 +1,7 @@ name: Scheduled Task Creation on Remote Endpoint using At id: 4be54858-432f-11ec-8209-3e22fbd008af -version: 2 -date: '2024-05-24' +version: 3 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -43,7 +43,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 90 - message: A Windows Scheduled Task was created on a remote endpoint from $dest + message: A Windows Scheduled Task was created on a remote endpoint from $dest$ mitre_attack_id: - T1053 - T1053.002 @@ -78,3 +78,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index 437884fada..aec10199f4 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -1,7 +1,7 @@ name: Scheduled Task Initiation on Remote Endpoint id: 95cf4608-4302-11ec-8194-3e22fbd008af -version: 2 -date: '2024-05-25' +version: 3 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -42,7 +42,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 90 - message: A Windows Scheduled Task was ran on a remote endpoint from $dest + message: A Windows Scheduled Task was ran on a remote endpoint from $dest$ mitre_attack_id: - T1053 - T1053.005 @@ -77,3 +77,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/windows_new_inprocserver32_added.yml b/detections/endpoint/windows_new_inprocserver32_added.yml index 0b9156b74e..9d0e9c77fb 100644 --- a/detections/endpoint/windows_new_inprocserver32_added.yml +++ b/detections/endpoint/windows_new_inprocserver32_added.yml @@ -1,7 +1,7 @@ name: Windows New InProcServer32 Added id: 0fa86e31-0f73-4ec7-9ca3-dc88e117f1db -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-07-23' author: Michael Haag, Splunk data_source: - Sysmon EventID 13 @@ -57,7 +57,7 @@ tags: risk_score: 2 security_domain: endpoint cve: - - cve-2024-21378 + - CVE-2024-21378 tests: - name: True Positive Test attack_data: @@ -65,3 +65,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log sourcetype: xmlwineventlog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +# version bumped by pre-commit hook diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml index a2742671f3..642eac7e5c 100644 --- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml @@ -1,7 +1,7 @@ name: Windows Service Creation on Remote Endpoint id: e0eea4fa-4274-11ec-882b-3e22fbd008af -version: 2 -date: '2024-05-21' +version: 3 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -44,7 +44,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 90 - message: A Windows Service was created on a remote endpoint from $dest + message: A Windows Service was created on a remote endpoint from $dest$ mitre_attack_id: - T1543 - T1543.003 @@ -79,3 +79,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml index 2aa32d5e0e..7c59bd88a4 100644 --- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml @@ -1,7 +1,7 @@ name: Windows Service Initiation on Remote Endpoint id: 3f519894-4276-11ec-ab02-3e22fbd008af -version: 2 -date: '2024-05-10' +version: 3 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -41,7 +41,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 90 - message: A Windows Service was started on a remote endpoint from $dest + message: A Windows Service was started on a remote endpoint from $dest$ mitre_attack_id: - T1543 - T1543.003 @@ -76,3 +76,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook