Branch was auto-updated.

detections/endpoint/linux_add_files_in_known_crontab_directories.yml

@@ -5,13 +5,7 @@ date: '2021-12-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic identifies a suspicious file creation in known
-  cron table directories. This event is commonly abuse by malware, adversaries and
-  red teamers to persist on the target or compromised host. crontab or cronjob is
-  like a schedule task in windows environment where you can create an executable or
-  script on the known crontab directories to run it base on its schedule. This Anomaly
-  query is a good indicator to look further what file is added and who added the file
-  if to consider it legitimate file.
+description: The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions.
 data_source:
 - Sysmon Event ID 11
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
@@ -33,6 +27,7 @@ tags:
   - Linux Privilege Escalation
   - Linux Persistence Techniques
   - Linux Living Off The Land
+  - Scheduled Tasks
   asset_type: Endpoint
   confidence: 50
   impact: 50

detections/endpoint/linux_adding_crontab_using_list_parameter.yml

@@ -5,11 +5,7 @@ date: '2023-04-14'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
-description: The following analytic identifies a suspicious cron jobs modification
-  using crontab list parameters. This command line parameter can be abused by malware
-  like industroyer2, adversaries, and red teamers to add a crontab entry to their
-  malicious code to execute to the schedule they want. This event can also be executed
-  by administrator or normal user for automation purposes so filter is needed.
+description: The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes.
 data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
@@ -34,6 +30,7 @@ tags:
   - Linux Living Off The Land
   - Data Destruction
   - Linux Persistence Techniques
+  - Scheduled Tasks
   asset_type: Endpoint
   confidence: 50
   impact: 50

detections/endpoint/linux_at_allow_config_file_creation.yml

@@ -5,14 +5,9 @@ date: '2021-12-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic identifies a suspicious file creation of /etc/at.allow
-  or /etc/at.deny. These 2 files are commonly abused by malware, adversaries or red
-  teamers to persist on the targeted or compromised host. These config files can restrict
-  or allow user to execute "at" application (another schedule task application in
-  linux). attacker can create a user or add the compromised username to that config
-  file to execute "at" to schedule it malicious code. This anomaly detection can be
-  a good indicator to investigate further the entry in created config file and who
-  created it to verify if it is a false positive.
+description: The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives.\
+
+  Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions.
 data_source:
 - Sysmon Event ID 11
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
@@ -33,6 +28,7 @@ tags:
   - Linux Privilege Escalation
   - Linux Persistence Techniques
   - Linux Living Off The Land
+  - Scheduled Tasks
   asset_type: Endpoint
   confidence: 50
   impact: 50

detections/endpoint/linux_at_application_execution.yml

@@ -5,12 +5,11 @@ date: '2022-05-26'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic identifies a suspicious process creation of At
-  application. This process can be used by malware, adversaries and red teamers to
-  create persistence entry to the targeted or compromised host with their malicious
-  code. This anomaly detection can be a good indicator to investigate the event before
-  and after this process execution, when it was executed and what schedule task it
-  will execute.
+description: The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes.\
+
+  During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\
+
+  The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization.
 data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes
@@ -33,6 +32,7 @@ tags:
   - Linux Privilege Escalation
   - Linux Persistence Techniques
   - Linux Living Off The Land
+  - Scheduled Tasks
   asset_type: Endpoint
   confidence: 30
   impact: 30

detections/endpoint/linux_edit_cron_table_parameter.yml

@@ -5,11 +5,13 @@ date: '2021-12-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
-description: The following analytic identifies a suspicious cronjobs modification
-  using crontab edit parameter. This commandline parameter can be abuse by malware
-  author, adversaries, and red red teamers to add cronjob entry to their malicious
-  code to execute to the schedule they want. This event can also be executed by administrator
-  or normal user for automation purposes so filter is needed.
+description: The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e).\
+
+  Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise.\
+
+  To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested.\
+
+  Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks.\
 data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
@@ -31,6 +33,7 @@ tags:
   - Linux Privilege Escalation
   - Linux Persistence Techniques
   - Linux Living Off The Land
+  - Scheduled Tasks
   asset_type: Endpoint
   confidence: 30
   impact: 30

detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml

@@ -5,14 +5,9 @@ date: '2022-05-26'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: This analytic looks for suspicious commandline that may use to append
-  user entry to /etc/at.allow or /etc/at.deny. These 2 files are commonly abused by
-  malware, adversaries or red teamers to persist on the targeted or compromised host.
-  These config file can restrict user that can only execute at application (another
-  schedule task application in linux). attacker can create a user or add the compromised
-  username to that config file to execute at to schedule it malicious code. This anomaly
-  detection can be a good indicator to investigate further the entry in created config
-  file and who created it to verify if it is a false positive.
+description: The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\
+
+  In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive.
 data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes
@@ -34,6 +29,7 @@ tags:
   analytic_story:
   - Linux Privilege Escalation
   - Linux Persistence Techniques
+  - Scheduled Tasks
   asset_type: Endpoint
   confidence: 30
   impact: 30

detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml

@@ -5,10 +5,11 @@ date: '2021-12-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
-description: This analytic looks for possible suspicious commandline that may use
-  to append a code to any existing cronjob files for persistence or privilege escalation.
-  This technique is commonly abused by malware, adversaries and red teamers to automatically
-  execute their code within a existing or sometimes in normal cronjob script file.
+description: The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically.\
+
+  The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\
+
+  This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity.
 data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes
@@ -21,8 +22,7 @@ how_to_implement: To successfully implement this search, you need to be ingestin
   logs with the process name, parent process, and command-line executions from your
   endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from
   Splunkbase.
-known_false_positives: Administrator or network operator can use this commandline
-  for automation purposes. Please update the filter macros to remove false positives.
+known_false_positives: False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives.
 references:
 - https://attack.mitre.org/techniques/T1053/003/
 - https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
@@ -32,6 +32,7 @@ tags:
   - Linux Privilege Escalation
   - Linux Persistence Techniques
   - Linux Living Off The Land
+  - Scheduled Tasks
   asset_type: Endpoint
   confidence: 70
   impact: 70

detections/endpoint/linux_possible_cronjob_modification_with_editor.yml

@@ -5,10 +5,14 @@ date: '2021-12-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
-description: This analytic looks for possible modification of cronjobs file using
-  editor. This event is can be seen in normal user but can also be a good hunting
-  indicator for unwanted user modifying cronjobs for possible persistence or privilege
-  escalation.
+description: The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\
+  The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities.\
+
+  In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration.\
+
+  To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon.\
+
+  Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances.
 data_source:
 - Sysmon Event ID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
@@ -31,6 +35,7 @@ tags:
   - Linux Privilege Escalation
   - Linux Persistence Techniques
   - Linux Living Off The Land
+  - Scheduled Tasks
   asset_type: Endpoint
   confidence: 30
   impact: 20