security_content_improvement_data_src

detections/endpoint/detect_new_local_admin_account.yml

@@ -7,7 +7,9 @@ status: production
 type: TTP
 description: This search looks for newly created accounts that have been elevated
   to local administrators.
-data_source: []
+data_source:
+- Windows Security 4732
+- Windows Security 4720
 search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators)
   | transaction member_id connected=false maxspan=180m | rename member_id as user
   | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`|

detections/endpoint/download_files_using_telegram.yml

@@ -10,7 +10,8 @@ description: The following analytic will identify a suspicious download by the T
   the adversary gained access, installed Telegram and followed through with downloading
   different network scanners (port, bruteforcer, masscan) to the system and later
   used to mapped the whole network and further move laterally.
-data_source: []
+data_source:
+- Sysmon Event ID 15
 search: '`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier"
   |stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode
   Image process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`

detections/endpoint/drop_icedid_license_dat.yml

@@ -8,7 +8,8 @@ type: Hunting
 description: This search is to detect dropping a suspicious file named as "license.dat"
   in %appdata%. This behavior seen in latest IcedID malware that contain the actual
   core bot that will be injected in other process to do banking stealing.
-data_source: []
+data_source:
+- Sysmon Event ID 11
 search: '`sysmon` EventCode= 11  TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*"
   OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time)
   as lastTime by TargetFilename EventCode process_id  process_name Computer | `security_content_ctime(firstTime)`

detections/endpoint/excessive_usage_of_nslookup_app.yml

@@ -11,7 +11,8 @@ description: This search is to detect potential DNS exfiltration using nslookup
   use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are
   commonly used by attacker and also the retry parameter which is designed to query
   C2 DNS multiple tries.
-data_source: []
+data_source:
+- Sysmon Event ID 1
 search: '`sysmon` EventCode = 1 process_name = "nslookup.exe" | bucket _time span=1m
   | stats count as numNsLookup by Computer, _time | eventstats avg(numNsLookup) as
   avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by Computer |

detections/endpoint/excessive_usage_of_sc_service_utility.yml

@@ -9,7 +9,8 @@ description: This search is to detect a suspicious excessive usage of sc.exe in
   host machine. This technique was seen in several ransomware , xmrig and other malware
   to create, modify, delete or disable a service may related to security application
   or to gain privilege escalation.
-data_source: []
+data_source:
+- Sysmon Event ID 1
 search: '`sysmon` EventCode = 1 process_name = "sc.exe" |  bucket _time span=15m |
   stats values(process) as process count as numScExe by Computer, _time |  eventstats
   avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by Computer

detections/endpoint/icedid_exfiltrated_archived_file_creation.yml

@@ -8,7 +8,8 @@ type: Hunting
 description: This search is to detect a suspicious file creation namely passff.tar
   and cookie.tar. This files are possible archived of stolen browser information like
   history and cookies in a compromised machine with IcedID.
-data_source: []
+data_source:
+- Sysmon Event ID 11
 search: '`sysmon` EventCode= 11  (TargetFilename = "*\\passff.tar" OR TargetFilename
   = "*\\cookie.tar") |stats count min(_time) as firstTime max(_time) as lastTime by
   TargetFilename EventCode process_id  process_name Computer | `security_content_ctime(firstTime)`

detections/endpoint/modification_of_wallpaper.yml

@@ -9,7 +9,8 @@ description: This analytic identifies suspicious modification of registry to def
   or change the wallpaper of a compromised machines as part of its payload. This technique
   was commonly seen in ransomware like REVIL where it create a bitmap file contain
   a note that the machine was compromised and make it as a wallpaper.
-data_source: []
+data_source:
+- Sysmon Event ID 13
 search: '`sysmon` EventCode =13  (TargetObject= "*\\Control Panel\\Desktop\\Wallpaper"
   AND Image != "*\\explorer.exe") OR (TargetObject= "*\\Control Panel\\Desktop\\Wallpaper"
   AND Details = "*\\temp\\*") | stats count min(_time) as firstTime max(_time) as

detections/endpoint/ms_scripting_process_loading_ldap_module.yml

@@ -12,7 +12,8 @@ description: This search is to detect a suspicious MS scripting process such as
   step to hunt further a suspicious ldap query or ldap related events to the host
   that may give you good information regarding ldap or AD information processing or
   might be a attacker.
-data_source: []
+data_source:
+- Sysmon Event ID 7
 search: '`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded
   IN ("*\\Wldap32.dll", "*\\adsldp.dll", "*\\adsldpc.dll") | stats min(_time) as firstTime
   max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid

detections/endpoint/ms_scripting_process_loading_wmi_module.yml

@@ -12,7 +12,8 @@ description: This search is to detect a suspicious MS scripting process such as
   to hunt further a suspicious wmi query or wmi related events to the host that may
   give you good information regarding process that are commonly using wmi query or
   modules or might be an attacker using this technique.
-data_source: []
+data_source:
+- Sysmon Event ID 7
 search: '`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded
   IN ("*\\fastprox.dll", "*\\wbemdisp.dll", "*\\wbemprox.dll", "*\\wbemsvc.dll" ,
   "*\\wmiutils.dll", "*\\wbemcomn.dll") | stats min(_time) as firstTime max(_time)

detections/endpoint/powershell_remote_thread_to_known_windows_process.yml

@@ -10,7 +10,8 @@ description: this search is designed to detect suspicious powershell process tha
   CreateRemoteThread. This technique is seen in several malware like trickbot and
   offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to
   execute reverse shell to c2 and download another payload
-data_source: []
+data_source:
+- Sysmon Event ID 8
 search: '`sysmon` EventCode = 8 parent_process_name IN ("powershell_ise.exe", "powershell.exe")
   TargetImage IN ("*\\svchost.exe","*\\csrss.exe" "*\\gpupdate.exe", "*\\explorer.exe","*\\services.exe","*\\winlogon.exe","*\\smss.exe","*\\wininit.exe","*\\userinit.exe","*\\spoolsv.exe","*\\taskhost.exe")
   | stats  min(_time) as firstTime max(_time) as lastTime count by SourceImage process_name

detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml

@@ -12,7 +12,8 @@ description: this search is designed to detect suspicious wermgr.exe process tha
   for error handling process of windows it is really suspicious that this process
   is trying to connect to this IP web services cause that maybe cause of some malicious
   code injection.
-data_source: []
+data_source:
+- Sysmon Event ID 22
 search: '`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN ("*wtfismyip.com",
   "*checkip.amazonaws.com", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com",
   "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org",

detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml

@@ -5,20 +5,30 @@ date: '2023-03-23'
 author: Mauricio Velazco, Splunk
 type: TTP
 status: production
-data_source : []
-description: The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number
-  remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could 
-  represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors.
-  As environments differ across organizations, security teams should customize the thresholds of this detection as needed.
-search: ' `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\IPC$" OR ShareName="\\\\*\\C$")
-  | bucket span=5m _time
-  | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode
-  | where unique_targets > 30
-  | `windows_administrative_shares_accessed_on_multiple_hosts_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting file share events.
-  The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled.
-known_false_positives: An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior.
-  Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
+data_source:
+- Windows Security 5140
+- Windows Security 5145
+description: The following analytic leverages Event IDs 5140 or 5145 to identify a
+  source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across
+  a large number remote endpoints. Specifically, the logic will trigger when a source
+  endpoint accesses administrative shares across 30 or more target computers within
+  a 5 minute timespan. This behavior could represent an adversary who is enumerating
+  network shares across an Active Directory environment in the search for sensitive
+  files, a common technique leveraged by red teamers and threat actors. As environments
+  differ across organizations, security teams should customize the thresholds of this
+  detection as needed.
+search: ' `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$"
+  OR ShareName="\\\\*\\IPC$" OR ShareName="\\\\*\\C$") | bucket span=5m _time | stats
+  dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName)
+  as shares by _time, IpAddress, SubjectUserName, EventCode | where unique_targets
+  > 30 | `windows_administrative_shares_accessed_on_multiple_hosts_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  file share events. The Advanced Security Audit policy setting `Audit Detailed File
+  Share` or `Audit File Share` within `Object Access` need to be enabled.
+known_false_positives: An single endpoint accessing windows administrative shares
+  across a large number of endpoints is not common behavior. Possible false positive
+  scenarios include but are not limited to vulnerability scanners, administration
+  systems and missconfigured systems.
 references:
 - https://attack.mitre.org/techniques/T1135/
 - https://en.wikipedia.org/wiki/Administrative_share
@@ -32,7 +42,8 @@ tags:
   asset_type: Endpoint
   confidence: 80
   impact: 70
-  message: $IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes.
+  message: $IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan
+    of 5 minutes.
   mitre_attack_id:
   - T1135
   observable:
@@ -62,4 +73,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log
     source: XmlWinEventLog:Security
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_default_group_policy_object_modified.yml

@@ -5,21 +5,31 @@ date: '2023-03-28'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
-data_source : []
-description: The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain
-  two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment.
-  The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group 
-  policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs.
-search: ' `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN="CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*" OR ObjectDN="CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*")
-  | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid AttributeValue Computer DSName
-  | rename AttributeValue as versionNumber
-  | `security_content_ctime(firstTime)` 
-  | `security_content_ctime(lastTime)`
-  | `windows_default_group_policy_object_modified_filter`'
-how_to_implement: To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled.
-  Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default.
-  A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.
-known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.
+data_source:
+- Windows Security 5136
+description: The following analytic leverages Event ID 5136 to identify the modification
+  of a default Group Policy Object. A fresh installation of an Active Directory network
+  will typically contain two default group policy objects `Default Domain Controllers
+  Policy` and `Default Domain Policy`. The default domain controllers policy is used
+  to enforce and set policies to all the domain controllers within the domain environment.
+  The default domain policy is linked to all users and computers by default. An adversary
+  who has obtained privileged access to an Active Directory network may modify the
+  default group policy objects to obtain further access, deploy persistence or execute
+  malware across a large number of hosts. Security teams should monitor the modification
+  of the default GPOs.
+search: ' `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber
+  (ObjectDN="CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*"
+  OR ObjectDN="CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*")
+  | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid
+  AttributeValue Computer DSName | rename AttributeValue as versionNumber | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_filter`'
+how_to_implement: To successfully implement this search, the Advanced Security Audit
+  policy setting `Audit Directory Service Changes` within `DS Access` needs to be
+  enabled. Furthermore, the appropriate system access control lists (SACL) need to
+  be created as the used events are not logged by default. A good guide to accomplish
+  this can be found here https://jgspiers.com/audit-group-policy-changes/.
+known_false_positives: The default Group Policy Objects within an AD network may be
+  legitimately updated for administrative operations, filter as needed.
 references:
 - https://attack.mitre.org/techniques/T1484/
 - https://attack.mitre.org/techniques/T1484/001
@@ -65,4 +75,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log
     source: XmlWinEventLog:Security
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_group_policy_object_created.yml

@@ -5,21 +5,29 @@ date: '2023-03-27'
 author: Mauricio Velazco
 status: production
 type: TTP
-data_source : []
-description:  The following analytic leverages Event IDs 5136 and 51137 to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure 
-  applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or 
-  deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network.
-  Security teams should monitor the creation of new Group Policy Objects.
-search: ' `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!="New Group Policy Object" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer
-  | stats values(AttributeValue) as details values(SubjectUserSid) as User values(ObjectDN) as ObjectDN by ObjectGUID Computer
-  | eval GPO_Name = mvindex(details, 0)
-  | eval GPO_Path = mvindex(details, 1)
-  | fields - details
-  | `windows_group_policy_object_created_filter`'
-how_to_implement: To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled.
-  Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default.
-  A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.
-known_false_positives: Group Policy Objects are created as part of regular administrative operations, filter as needed.
+data_source:
+- Windows Security 5136
+- Windows Security 5137
+description: The following analytic leverages Event IDs 5136 and 51137 to identify
+  the creation of a new Group Policy Object. With GPOs, system administrators can
+  manage and configure applications, software operations, and user settings throughout
+  an entire organization. GPOs can be abused and leveraged by adversaries to escalate
+  privileges or deploy malware across an Active Directory network. As an example,
+  the Lockbit ransomware malware will create new group policies on the domain controller
+  that are then pushed out to every device on the network. Security teams should monitor
+  the creation of new Group Policy Objects.
+search: ' `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!="New
+  Group Policy Object" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath)
+  ) ObjectClass=groupPolicyContainer | stats values(AttributeValue) as details values(SubjectUserSid)
+  as User values(ObjectDN) as ObjectDN by ObjectGUID Computer | eval GPO_Name = mvindex(details,
+  0) | eval GPO_Path = mvindex(details, 1) | fields - details | `windows_group_policy_object_created_filter`'
+how_to_implement: To successfully implement this search, the Advanced Security Audit
+  policy setting `Audit Directory Service Changes` within `DS Access` needs to be
+  enabled. Furthermore, the appropriate system access control lists (SACL) need to
+  be created as the used events are not logged by default. A good guide to accomplish
+  this can be found here https://jgspiers.com/audit-group-policy-changes/.
+known_false_positives: Group Policy Objects are created as part of regular administrative
+  operations, filter as needed.
 references:
 - https://attack.mitre.org/techniques/T1484/
 - https://attack.mitre.org/techniques/T1484/001
@@ -65,4 +73,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log
     source: XmlWinEventLog:Security
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog